From the2nd at otpme.org Tue Dec 1 00:19:20 2015
From: the2nd at otpme.org (the2nd at otpme.org)
Date: Tue, 01 Dec 2015 00:19:20 +0100
Subject: scdaemon lockup with Yubikey NEO
In-Reply-To: <3a3ecea4beb0c02bc963be57ee991b06@otpme.org>
References:
<3a3ecea4beb0c02bc963be57ee991b06@otpme.org>
Message-ID:
Hi again,
i asked for help on the openssh list and was told to ask the devs of
gpg-agent for help ;)
https://groups.google.com/forum/#!topic/mailing.unix.openssh-dev/qSPsDdj5-0M
So are any devs reading on this list? The problem is reproducible and i
am willing to help debugging and whatever is needed to fix the issue. :)
regards
the2nd
On 2015-11-23 16:53, the2nd at otpme.org wrote:
> Hi,
>
> i've done some more testing and found out that the problem starts to
> exist with openssh version 6.8p1. With 6.7p1 everything works perfect.
> I downloaded the openssh tarballs one by one, compiled with
> ./configure;make and just copied the "ssh" binary.
>
> I was able to reproduce the problem with the following steps:
>
> 1. Start gpg-agent: eval $(gpg-agent --daemon --enable-ssh-support
> --log-file ~/.gnupg/gpg-agent.log)
> 2. Login to any host with your SSH key and keep the session open: ssh
> -l root localhost
> 3. Plug your yubikey out/in
> 4. Try to login with your SSH key to any other host
>
> With openssh 6.8p1 this fails reproducable. With version 6.7p1 or
> earlier it works.
>
> As a workaround i replaced my ssh client binary with the old version.
>
> It would be great to get a real fix for this. But i am unsure where
> the realm problem lies, gpg or openssh.
>
> Maybe we should ask this on the openssh list?
>
> regards
> the2nd
>
>
> On 2015-11-22 03:06, Lance R. Vick wrote:
>> This happens to me constantly as well. I my case I frequently need to
>> kill and restart gpg-agent to get things working again on both Arch
>> Linux and Gentoo.
>>
>> On Sat, Nov 21, 2015 at 4:41 AM, the2nd wrote:
>>
>>> Hi Ben,
>>>
>>> We have a similar Problem since we've upgraded from Ubuntu 15.04 to
>>> 15.10.? When starting gpg-agent with --log-file the log show the
>>> following:
>>>
>>> 2015-05-30 13:49:36?gpg-agent[3600] error accessing card:
>>> Conflicting?use
>>> 2015-05-30 13:49:36?gpg-agent[3600] smartcard signing failed:?
>>> Conflicting use?
>>> 2015-05-30 13:49:38?gpg-agent[3600] error getting
>>> default?authentication keyID of card: Conflicting use
>>>
>>> I've asked the list serval times about this issue but got now answer
>>> yet. So i dont have a solution but it may be interesting if your
>>> problem is the same...
>>>
>>> Regards
>>> The2nd?
>>>
>>> -------- Urspr?ngliche Nachricht --------
>>> Von: Ben Warren
>>> Datum:11.20.2015 16:26 (GMT+01:00)
>>> An: gnupg-users at gnupg.org
>>> Betreff: scdaemon lockup with Yubikey NEO
>>>
>>> Hi,
>>>
>>> I?ve noticed several other problem reports that seem similar,
>>> hopefully they?re all related and there?s a simple fix.
>>>
>>> The problem:
>>>
>>> After an indeterminate amount of time (sometimes minutes, sometimes
>>> hours), any GPG operation that uses my Yubikey NEO device hangs.?
>>> The two most common operations are SSH authentication and git
>>> signing.? The following sequence gets things going again:
>>>
>>> $ killall -SIGKILL scdaemon
>>>
>>> $ gpg2 ?card-status
>>>
>>> System particulars:
>>>
>>> * Host OS is OS-X Yosemite, although it is also present on
>>> Mavericks (haven?t tried El Capitan yet)
>>>
>>> * GPG 2.1.5
>>>
>>> * Using the Yubikey?s authentication subkey to login to remote
>>> Linux hosts
>>>
>>> * Using the Yubikey?s signing subkey for git signing operations,
>>> both local and remote
>>>
>>> * Using gpg-agent for forwarding both GPG and SSH (great features,
>>> BTW!)
>>>
>>> GPG configuration file:
>>>
>>> $ cat ~/.gnupg/gpg-agent.conf
>>>
>>> default-cache-ttl 1
>>>
>>> ignore-cache-for-signing
>>>
>>> no-allow-external-cache
>>>
>>> max-cache-ttl 1
>>>
>>> extra-socket ${HOME}/.gnupg/S.gpg-extra-agent
>>>
>>> debug-all
>>>
>>> log-file ${HOME}/.gnupg/mygpglogfile.log
>>>
>>> enable-ssh-support
>>>
>>> I?ll be happy to help debug this, but need some guidance.
>>>
>>> thanks,
>>>
>>> Ben
>>> _______________________________________________
>>> Gnupg-users mailing list
>>> Gnupg-users at gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users [1]
>>
>> --
>>
>> Lance R. Vick
>> __________________________________________________
>> Cell? ? ? -? 407.283.7596
>> Gtalk? ?? -? lance at lrvick.net
>> Website?? -? http://lrvick.net [2]
>> PGP Key?? -? http://lrvick.net/0x36C8AAA9.asc [3]
>> keyserver -? subkeys.pgp.net [4]
>> __________________________________________________
>>
>> Links:
>> ------
>> [1] http://lists.gnupg.org/mailman/listinfo/gnupg-users
>> [2] http://lrvick.net
>> [3] http://lrvick.net/0x36C8AAA9.asc
>> [4] http://subkeys.pgp.net
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
From rjh at sixdemonbag.org Tue Dec 1 01:37:30 2015
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 30 Nov 2015 19:37:30 -0500
Subject: problems decrypting ASCII-armored file
In-Reply-To:
References:
Message-ID: <565CEBCA.5000008@sixdemonbag.org>
On 11/30/15 5:41 PM, Andrew Gallagher wrote:
> That's a Unicode byte order mark. Strictly, it should only be used in
> UTF-16 documents but in the real world it's commonly used to mark any
> Unicode file....
It's a UTF-16BE BOM, you mean. The UTF-8 BOM is 0xEF 0xBB 0xBF.
It's a little weird. You don't see much UTF-16BE out there.
From gniibe at fsij.org Tue Dec 1 04:13:25 2015
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Tue, 01 Dec 2015 12:13:25 +0900
Subject: How important are Admin PIN and Passphrase in this scenario?
In-Reply-To: <565B849A.7040403@krebs.uno>
References: <565B849A.7040403@krebs.uno>
Message-ID: <565D1055.3070606@fsij.org>
On 11/30/2015 08:04 AM, Daniel Krebs wrote:
> There is a smartcard with subkeys for encryption, signing and
> authentication.
[...]
> In any case there seems to
> be no really benefit of using extraordinary strong admin pin because
> there are only three tries before the card get rendered unusable. The
> passphrase is only used in the secure environment.
I agree your argument in general. I think that it depends on the
smartcard implementation, its strength against physical attacks,
and how you protect/detect your smartcard against possible steal.
If the implementation stores your private key as raw data with no
encryption (and use pin/passphrase only for authentication), complex
pin/passphrase doesn't matter, perhaps.
When the implementation stores your private key encrypted by
pin/passphrase and the hardware is relatively weak by physical
attacks, pin/passphrase with enough entropy still makes sense
(somehow).
Suppose I have a practice to use my token everyday and I always make
sure having it, so that I can know its non-existence. Then, when I
lost my token, if I could believe that it would take a week (to break
the token phisically + to break encryption by brute force) by
complex passphrase, it makes sense for me.
--
From gniibe at fsij.org Tue Dec 1 05:16:51 2015
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Tue, 01 Dec 2015 13:16:51 +0900
Subject: scdaemon lockup with Yubikey NEO
In-Reply-To:
References:
<3a3ecea4beb0c02bc963be57ee991b06@otpme.org>
Message-ID: <565D1F33.4090206@fsij.org>
On 12/01/2015 08:19 AM, the2nd at otpme.org wrote:
> So are any devs reading on this list? The problem is reproducible
> and i am willing to help debugging and whatever is needed to fix the
> issue. :)
Yes.
It is not reproducible for me. I'm using OpenSSH 6.9p1.
>> i've done some more testing and found out that the problem starts to
>> exist with openssh version 6.8p1. With 6.7p1 everything works perfect.
>> I downloaded the openssh tarballs one by one, compiled with
>> ./configure;make and just copied the "ssh" binary.
>>
>> I was able to reproduce the problem with the following steps:
>>
>> 1. Start gpg-agent: eval $(gpg-agent --daemon --enable-ssh-support
>> --log-file ~/.gnupg/gpg-agent.log)
>> 2. Login to any host with your SSH key and keep the session open: ssh
>> -l root localhost
>> 3. Plug your yubikey out/in
>> 4. Try to login with your SSH key to any other host
Do you have multiple gpg-agent when you encounter failure? Or
multiple scdaemon?
--
From andrewg at andrewg.com Tue Dec 1 09:41:00 2015
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Tue, 1 Dec 2015 08:41:00 +0000
Subject: problems decrypting ASCII-armored file
In-Reply-To: <565CEBCA.5000008@sixdemonbag.org>
References:
<565CEBCA.5000008@sixdemonbag.org>
Message-ID:
>> On 11/30/15 5:41 PM, Andrew Gallagher wrote:
>> That's a Unicode byte order mark. Strictly, it should only be used in
>> UTF-16 documents but in the real world it's commonly used to mark any
>> Unicode file....
>
> It's a UTF-16BE BOM, you mean. The UTF-8 BOM is 0xEF 0xBB 0xBF.
>
> It's a little weird. You don't see much UTF-16BE out there.
It's the same thing. One is just a different encoding of the other. The OP's software is obviously Unicode-capable as it displayed the unknown character as a U+xxxx code point. The underlying code point is identical no matter which encoding is being used. The only time you would see the raw utf-8 bytes would be if the software was Unicode-incapable or if the locale was set incorrectly, leading it to be interpreted as a sequence of bytes.
Andrew
From peter at digitalbrains.com Tue Dec 1 11:24:05 2015
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 01 Dec 2015 11:24:05 +0100
Subject: Why gpg 2.1.9 cannot export secret key without passphrase?
In-Reply-To: <565CD38E.4060408@gmail.com>
References: <5653BA6F.1040002@gmail.com> <20151127123930.02d71cff@fire>
<56583E47.8090307@digitalbrains.com> <565C9F0F.9000806@gmail.com>
<565CA939.8020308@digitalbrains.com> <565CD38E.4060408@gmail.com>
Message-ID: <565D7545.60007@digitalbrains.com>
On 30/11/15 23:54, Andrey Utkin wrote:
> Could you please direct me to exact S2K-stuff modes for exporting it
> which would be compliant with earlier GnuPG branches 1.4 and 2.0?
> [...]
> But for unattended processing cases, I'd like a mode that makes utils
> skip all passphrase entry prompts. I guess the no-encryption case
> ("trivially cracked by anyone") is needed here. Which of the
> mentioned modes was used in 1.4 and 2.0 for exporting without
> passphrase?
"Trivially cracked" implies that there is something to crack. That would
be the silly case with the empty string as the password. Instead, the
first octet in the secret part of the secret key packet indicates
whether to use an S2K or not:
>From [1]:
> - One octet indicating string-to-key usage conventions. Zero
> indicates that the secret-key data is not encrypted. 255 or 254
> indicates that a string-to-key specifier is being given. Any
> other value is a symmetric-key encryption algorithm identifier.
The "any other" stuff is ancient legacy stuff, and MUST NOT be produced
by a conforming implementation. This byte is zero when there is no
encryption, and the following bytes are just the plaintext version of
the secret parts:
> - Plain or encrypted multiprecision integers comprising the secret
> key data. These algorithm-specific fields are as described
> below.
In this case, read it as "plain multiprecision integers ...".
HTH,
Peter.
[1] http://tools.ietf.org/html/rfc4880#section-5.5.3
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
From jayson.barker at gmail.com Tue Dec 1 10:35:28 2015
From: jayson.barker at gmail.com (Jay Barker)
Date: Tue, 1 Dec 2015 09:35:28 +0000
Subject: Malware detected
In-Reply-To:
References:
Message-ID:
I would suggest you check the SHA1 or SHA256 checksum for the exe you
downloaded, the checksums are provided in this release note from the
developers:
http://lists.wald.intevation.org/pipermail/gpg4win-announce/2015-November/000067.html
On 30 November 2015 at 22:34, Dale Sander wrote:
> I downloaded gpupg for windows, during the installation Webroot Endpoint
> Protection reported that GSPAWN-WIN32-HELPER.EXE was infected with
> W32.Malware.Gen and was blocked.. has the source code been infected or is
> this some kind of false detection?
>
> Thank you,
>
> Dale
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From the2nd at otpme.org Tue Dec 1 11:55:38 2015
From: the2nd at otpme.org (the2nd at otpme.org)
Date: Tue, 01 Dec 2015 11:55:38 +0100
Subject: scdaemon lockup with Yubikey NEO
In-Reply-To: <565D1F33.4090206@fsij.org>
References:
<3a3ecea4beb0c02bc963be57ee991b06@otpme.org>
<565D1F33.4090206@fsij.org>
Message-ID: <7e34851165fa63d62952f2a66440e567@otpme.org>
There is just one gpg-agent + scdaemon. Do you keep the first SSH
session open when re-plugging the yubikey? If i close the first session
do problem does not occur.
On 2015-12-01 05:16, NIIBE Yutaka wrote:
> On 12/01/2015 08:19 AM, the2nd at otpme.org wrote:
>> So are any devs reading on this list? The problem is reproducible
>> and i am willing to help debugging and whatever is needed to fix the
>> issue. :)
>
> Yes.
>
> It is not reproducible for me. I'm using OpenSSH 6.9p1.
>
>>> i've done some more testing and found out that the problem starts to
>>> exist with openssh version 6.8p1. With 6.7p1 everything works
>>> perfect.
>>> I downloaded the openssh tarballs one by one, compiled with
>>> ./configure;make and just copied the "ssh" binary.
>>>
>>> I was able to reproduce the problem with the following steps:
>>>
>>> 1. Start gpg-agent: eval $(gpg-agent --daemon --enable-ssh-support
>>> --log-file ~/.gnupg/gpg-agent.log)
>>> 2. Login to any host with your SSH key and keep the session open: ssh
>>> -l root localhost
>>> 3. Plug your yubikey out/in
>>> 4. Try to login with your SSH key to any other host
>
> Do you have multiple gpg-agent when you encounter failure? Or
> multiple scdaemon?
From wk at gnupg.org Tue Dec 1 13:09:28 2015
From: wk at gnupg.org (Werner Koch)
Date: Tue, 01 Dec 2015 13:09:28 +0100
Subject: problems decrypting ASCII-armored file
In-Reply-To: (Andrew
Gallagher's message of "Tue, 1 Dec 2015 08:41:00 +0000")
References:
<565CEBCA.5000008@sixdemonbag.org>
Message-ID: <87k2oypdzb.fsf@vigenere.g10code.de>
On Tue, 1 Dec 2015 09:41, andrewg at andrewg.com said:
> point is identical no matter which encoding is being used. The only
> time you would see the raw utf-8 bytes would be if the software was
> Unicode-incapable or if the locale was set incorrectly, leading it to
> be interpreted as a sequence of bytes.
Would it be worth to detect this corner case and ignore the BOM?
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From andrewg at andrewg.com Tue Dec 1 13:20:12 2015
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Tue, 01 Dec 2015 12:20:12 +0000
Subject: problems decrypting ASCII-armored file
In-Reply-To: <87k2oypdzb.fsf@vigenere.g10code.de>
References: <565CEBCA.5000008@sixdemonbag.org>
<87k2oypdzb.fsf@vigenere.g10code.de>
Message-ID: <565D907C.7040302@andrewg.com>
On 01/12/15 12:09, Werner Koch wrote:
> On Tue, 1 Dec 2015 09:41, andrewg at andrewg.com said:
>
>> point is identical no matter which encoding is being used. The only
>> time you would see the raw utf-8 bytes would be if the software was
>> Unicode-incapable or if the locale was set incorrectly, leading it to
>> be interpreted as a sequence of bytes.
>
> Would it be worth to detect this corner case and ignore the BOM?
I think so. The use of BOM as a UTF-8 marker is not going to go away any
time soon...
Andrew.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL:
From mail at joed.hu Tue Dec 1 13:16:57 2015
From: mail at joed.hu (=?iso-8859-2?Q?Dubravszky_J=F3zsef?=)
Date: Tue, 1 Dec 2015 13:16:57 +0100
Subject: gpg-agent protocol
Message-ID: <005a01d12c32$300b7820$90226860$@joed.hu>
Hello,
Before I do any coding or trials I would like to clear some GPG4Win
questions.
Atsuhiko Yamanaka made an excellent Eclipse SSH agent plugin
(https://github.com/ymnk/jsch-agent-proxy) to proxy SSH agents to Eclipse
subsystems. Currently it supports ssh-agent on Linux and Pageant on Windows.
As of GPG4Win 2.2 the gpg-agent.exe can function as an SSH agent for Putty.
It would be just awesome to be able to use gpg-agent.exe in Eclipse. For
that, a connector needs to be developed but first I would like to get
information on how could I "talk to" the gpg-agent.exe? The Pageant
connector uses Win32 shared memory operations. My question might sound
silly, but is there anything that would prevent me writing a connector that
uses the same Win32 shared memory operations based protocol?
I also recognized that on Windows an S.gpg-agent.ssh file is created in the
users roaming AppData
(C:\Users\USERNAME\AppData\Roaming\gnupg\S.gpg-agent.ssh), that pretty much
resembles a Unix socket. As far as I know there is no such compatible domain
socket on Windows, but what is this file then?
Thank you for your help.
BR,
joe
From Jonathan-Harbord at marubeni.com Tue Dec 1 14:50:53 2015
From: Jonathan-Harbord at marubeni.com (Harbord Jonathan-EURITEC)
Date: Tue, 1 Dec 2015 13:50:53 +0000
Subject: Provide user PIN to gpg-agent?
Message-ID:
Is it possible to pass the user PIN of a smartcard to gpg-agent in a command?
I'd like to stop the pinentry program appearing for an automated system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From rjh at sixdemonbag.org Tue Dec 1 14:54:44 2015
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 1 Dec 2015 08:54:44 -0500
Subject: problems decrypting ASCII-armored file
In-Reply-To:
References:
<565CEBCA.5000008@sixdemonbag.org>
Message-ID: <565DA6A4.1090501@sixdemonbag.org>
> It's the same thing. One is just a different encoding of the other.
Ah, I read it as being straight-up hex, not a code point. Thank you. :)
From rjh at sixdemonbag.org Tue Dec 1 21:47:32 2015
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 1 Dec 2015 15:47:32 -0500
Subject: New FAQ items
Message-ID: <565E0764.9060509@sixdemonbag.org>
1. A new user contacted me via email to point out there was no FAQ
entry about whether there's anything to be done about a lost
passphrase. I added a FAQ entry for this, with text that basically
amounted to "if you truly can't remember your passphrase then we
can't help you, revoke your certificate with a pre-made revocation
certificate and start anew." If anyone has better suggestions (that
don't amount to "well, have you tried all permutations of what you
think the passphrase was?"), please let me know. :)
2. GNU contacted me via email asking for a FAQ entry about how to use
GnuPG to verify downloaded software. This was present in a prior
iteration of the FAQ but not this re-written one, so I figured it
was an unobjectionable addition.
I would normally present things on the list before pushing to Git, but
GNU's keen on a fast turnaround on #2. If you're interested in the FAQ,
give it a day or so for the HTML version of it to get generated and
check out the new entries.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1016 bytes
Desc: OpenPGP digital signature
URL:
From rjh at sixdemonbag.org Tue Dec 1 21:52:41 2015
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 1 Dec 2015 15:52:41 -0500
Subject: Insecure memory message on PC-BSD
In-Reply-To: <5657942F.7000807@cajuntechie.org>
References: <5657942F.7000807@cajuntechie.org>
Message-ID: <565E0899.6010609@sixdemonbag.org>
> Hey Everyone,
Hey, Anthony. Sorry for the long-delayed response: I'm just now
crawling out from beneath my backlog.
> I'm using PC-BSD 10.2 and I get the message "using insecure memory!"
> when I type gpg2 at the terminal. Is this a major issue or is it
> something I can (usually) ignore? Is there a way to use "secure" memory?
Some operating systems allow GnuPG more low-level control over memory.
Others don't, and these other systems get the insecure memory warning.
However, it's pretty hard to exploit
insecure memory without root privileges -- and if your attacker has root
privileges on your machine then it's all over anyway.
In my own environment, I don't care about this. It's a nonissue. You
can disable the warning by putting no-secmem-warning in your gpg.conf file.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1016 bytes
Desc: OpenPGP digital signature
URL:
From rjh at sixdemonbag.org Tue Dec 1 21:55:21 2015
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 1 Dec 2015 15:55:21 -0500
Subject: Malware detected
In-Reply-To:
References:
Message-ID: <565E0939.7090309@sixdemonbag.org>
> I downloaded gpupg for windows, during the installation Webroot Endpoint
> Protection reported that GSPAWN-WIN32-HELPER.EXE was infected with
> W32.Malware.Gen and was blocked.. has the source code been infected or
> is this some kind of false detection?
I'd be happy to look into this for you, but I'm going to need to know
specifically which version of GnuPG for Windows you downloaded and where
you downloaded it from (a link would be best).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1016 bytes
Desc: OpenPGP digital signature
URL:
From kristian.fiskerstrand at sumptuouscapital.com Tue Dec 1 21:51:50 2015
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Tue, 1 Dec 2015 21:51:50 +0100
Subject: New FAQ items
In-Reply-To: <565E0764.9060509@sixdemonbag.org>
References: <565E0764.9060509@sixdemonbag.org>
Message-ID: <565E0866.6060601@sumptuouscapital.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 12/01/2015 09:47 PM, Robert J. Hansen wrote:
> 1. A new user contacted me via email to point out there was no
> FAQ entry about whether there's anything to be done about a lost
> passphrase. I added a FAQ entry for this, with text that
> basically amounted to "if you truly can't remember your passphrase
> then we can't help you, revoke your certificate with a pre-made
> revocation certificate and start anew." If anyone has better
> suggestions (that don't amount to "well, have you tried all
> permutations of what you think the passphrase was?"), please let me
> know. :)
Would a reference to nasty[0] or other tools to aid such brute-force
attacks be useful in this context?
Reference:
[0] http://freecode.com/projects/nasty
- --
- ----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Donec eris sospes, multos numerabis amicos.
Tempora si fuerint nubila, solus eris.
As long as you are wealthy,you will have many friends.
When the tough times come, you will be left alone
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCgAGBQJWXghhAAoJECULev7WN52F5+AH/iHpwr7O6VveZkU7qEolvoIh
LtN04Z0DHr9vrjwylhiqjKx0q9GeUy9nMoFXV6Aaz6b6SvLgqjTmeHVrCg6URA8C
5DAxgQdwmYvvPLbZbH+Ttg4MQpeHGopC9NsVKv0qcwwgybKJsINLMUlxbIqYtRlb
rtOofFZVZa7eDf/PhxM5OOasyFGU08MX/cE8IcBuM+k2OmbrKgn9/En0A2Eh3vzx
NABXhKVBuGD35lFeAzSQTRHhNNczQVlBEQ5Ezk4w8RdWF7UhhrNeKKfX6hvE7pKv
s4nS4pmsQ/jb2wjp+pFV9GU8wVw9HM6VV27p8RLJhe0pYwZ9hI+0M6nw5z8DSkw=
=Vjs4
-----END PGP SIGNATURE-----
From rjh at sixdemonbag.org Tue Dec 1 22:01:42 2015
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 1 Dec 2015 16:01:42 -0500
Subject: New FAQ items
In-Reply-To: <565E0866.6060601@sumptuouscapital.com>
References: <565E0764.9060509@sixdemonbag.org>
<565E0866.6060601@sumptuouscapital.com>
Message-ID: <565E0AB6.10406@sixdemonbag.org>
> Would a reference to nasty[0] or other tools to aid such brute-force
> attacks be useful in this context?
I thought about it but decided against it. I've never heard of someone
successfully using nasty to recover their passphrase. I hate to
recommend a tool where I can't point to a single user who's had a good
experience with it.
I'm not saying they don't exist. Just that if they do exist, I don't
know about them, and for that reason I feel I can't recommend the tool.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1016 bytes
Desc: OpenPGP digital signature
URL:
From kristian.fiskerstrand at sumptuouscapital.com Tue Dec 1 22:00:29 2015
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Tue, 1 Dec 2015 22:00:29 +0100
Subject: New FAQ items
In-Reply-To: <565E0AB6.10406@sixdemonbag.org>
References: <565E0764.9060509@sixdemonbag.org>
<565E0866.6060601@sumptuouscapital.com> <565E0AB6.10406@sixdemonbag.org>
Message-ID: <565E0A6D.4030800@sumptuouscapital.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 12/01/2015 10:01 PM, Robert J. Hansen wrote:
>> Would a reference to nasty[0] or other tools to aid such
>> brute-force attacks be useful in this context?
>
> I thought about it but decided against it. I've never heard of
> someone successfully using nasty to recover their passphrase. I
> hate to recommend a tool where I can't point to a single user who's
> had a good experience with it.
I've hard of a few users with good experiences using it, but it has
always been in the context of rotation of several known password
string using separators and number paddings etc so they have been able
to build a good pattern to base it on
- --
- ----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Donec eris sospes, multos numerabis amicos.
Tempora si fuerint nubila, solus eris.
As long as you are wealthy,you will have many friends.
When the tough times come, you will be left alone
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCgAGBQJWXgpoAAoJECULev7WN52FX4wH/0yE7XgBLbF4TKWBBxYR0Gv6
mgYtqSq7/3cmXWkUmw2Oz5me63T9NKyA/j+KeTdWoOskryCDvU46X5I3OVf26lkV
4hFQl0rS5qMT3vtyK7wu8W53Ry6JcBIOhbjk2nQ3zCcVhMYEZBlxPCVcCI0KDorD
7H8C+tBpmsqLhHHP3RzDWQWkdNfFsSbJda+0Gvemt9hE52COCKEp0HqM42c4Grwp
t2UOqq2yL4Wq6bWtKZbp3OS6+NCrkYyOA5lb5UOFVypCTIkj7isskhSPSufzoe6L
Hf+YnJM8hKbv/r+4B/yRts/Uf64uKEgq3czkO9NEof9RxUbXhoN7CBkKjfdnjIU=
=nozz
-----END PGP SIGNATURE-----
From rjh at sixdemonbag.org Tue Dec 1 22:08:18 2015
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 1 Dec 2015 16:08:18 -0500
Subject: New FAQ items
In-Reply-To: <565E0A6D.4030800@sumptuouscapital.com>
References: <565E0764.9060509@sixdemonbag.org>
<565E0866.6060601@sumptuouscapital.com> <565E0AB6.10406@sixdemonbag.org>
<565E0A6D.4030800@sumptuouscapital.com>
Message-ID: <565E0C42.1040008@sixdemonbag.org>
> I've hard of a few users with good experiences using it...
Good enough for me. I'll adjust the language and submit a revision to
the list for review.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1016 bytes
Desc: OpenPGP digital signature
URL:
From gniibe at fsij.org Wed Dec 2 04:07:12 2015
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Wed, 02 Dec 2015 12:07:12 +0900
Subject: Provide user PIN to gpg-agent?
In-Reply-To:
References:
Message-ID: <565E6060.3080806@fsij.org>
On 12/01/2015 10:50 PM, Harbord Jonathan-EURITEC wrote:
> Is it possible to pass the user PIN of a smartcard to gpg-agent in a command?
>
> I'd like to stop the pinentry program appearing for an automated system.
Please note that I don't have any experience like that, and I don't
generally recommend such a usage.
In general, we can provide a special application specific pinentry
program for such a special purpose.
In GnuPG 2.1.x, there is allow-loopback-pinentry option. When enabled
it by .gnupg/gpg-agent.conf or as an argument invoking gpg-agent, we
can do something like:
gpg-connect-agent \
"OPTION pinentry-mode=loopback"
'/definqfile PASSPHRASE /tmp/passphrase-for-smartcard' \
"SCD CHECKPIN " /bye
having a file /tmp/passphrase-for-smartcard, where is the one
in the output of 'gpg --card-status' like:
Application ID ...: D276000124010200F517000000010000
Substitute by D276000124010200F517000000010000.
Please try.
--
From gniibe at fsij.org Wed Dec 2 08:16:08 2015
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Wed, 02 Dec 2015 16:16:08 +0900
Subject: scdaemon lockup with Yubikey NEO
In-Reply-To: <7e34851165fa63d62952f2a66440e567@otpme.org>
References:
<3a3ecea4beb0c02bc963be57ee991b06@otpme.org>
<565D1F33.4090206@fsij.org>
<7e34851165fa63d62952f2a66440e567@otpme.org>
Message-ID: <1449040568.9848.1.camel@fsij.org>
On 2015-12-01 at 11:55 +0100, the2nd at otpme.org wrote:
> There is just one gpg-agent + scdaemon.
OK.
> Do you keep the first SSH session open when re-plugging the yubikey?
I don't use Yubikey.??I use OpenPGPcard with card reader and Gnuk
Token.??If you think your problem is Yubikey specific, it would be
good to ask Yubikey community.
I keep the SSH session when I remove my token, re-insert it and.??I
also tried with the setting of 'ForwardAgent yes' in .ssh/config and
used SSH to another remote host.??But I can't reproduce.
To debug your situation, please add 'verbose' in your
.gnupg/gpg-agent.conf and create a file .gnupg/scdaemon.conf with:
=====================
debug-level guru
debug-all
log-file /tmp/scd.log
=====================
Before your experiment, please set your PIN by default one, because
the scd.log file will include your PIN information.
--
From gnupg at raf.org Wed Dec 2 11:13:55 2015
From: gnupg at raf.org (gnupg at raf.org)
Date: Wed, 2 Dec 2015 21:13:55 +1100
Subject: gpg-preset-passphrase: problem setting the gpg-agent options [caused
by empty $DISPLAY]
Message-ID: <20151202101355.GA30221@raf.org>
Hi,
ubuntu-14.04.3 LTS
gnupg-1.4.16-1ubuntu2.3
gnupg2-2.0.22-3ubuntu1.3
gnupg-agent-2.0.22-3ubuntu1.3
I've just started using gpg-agent and gpg-preset-passphrase to store a
passphrase briefly.
Yesterday, this was working fine on two hosts.
Today, it stopped working on one of them.
The gpg-agent command looks like:
$ /usr/bin/screen -- \
> /usr/bin/sudo -u thing --set-home -- \
> /usr/bin/gpg-agent \
> --homedir /etc/thing/.gnupg \
> --write-env-file /etc/thing/run/.gpg-agent-info \
> --allow-preset-passphrase \
> --daemon -- \
> /bin/bash --login
And the gpg-preset-passphrase command looks like:
$ gpg_cache_id="`/usr/bin/gpg --homedir /etc/thing/.gnupg --fingerprint --fingerprint thing at example.com | grep 'Key fingerprint' | tail -1 | sed -e 's/^[^=]\+=//' -e 's/ //g'`"
$ my-ask-password 'Enter the GPG passphrase:' | /usr/lib/gnupg2/gpg-preset-passphrase --preset "$gpg_cache_id"
The gpg-preset-passphrase command is executed from within the .bash_login
script that is executed by bash that is run by gpg-agent in the first
command above.
So yesterday, this worked perfectly. Today, when I try it, I get:
Enter the GPG passphrase:
gpg-preset-passphrase: problem setting the gpg-agent options
gpg-preset-passphrase: caching passphrase failed: Invalid response
Is there any way to find out what the problem was? I couldn't find any
log messages with more information and adding the -v option to
gpg-preset-passphrase didn't add anything.
There's nothing wrong with the cache id. It hasn't changed since yesterday.
Hang on, I've found out what caused it:
$ DISPLAY=
Yesterday, I was logged into the problem host from the same LAN so I had
$DISPLAY set. Today, I'm logged in from further way and cleared $DISPLAY to
prevent slow X11 traffic.
When I turn off X11, I do it by setting DISPLAY to the empty string. That has
always worked for all other programs but it seems that gpg-preset-passphrase
is assuming that if $DISPLAY exists, then it must contain something useful
and, if not, it runs into problems. At least that's what it seems like.
If I do the following instead:
$ unset DISPLAY
Then gpg-preset-passphrase works fine.
It seems to me to be a buglet in gpg-preset-passphrase because it's the only
program I've encountered that doesn't treat an empty $DISPLAY the same as an
absent $DISPLAY.
This also applies to:
debian-8
gnupg-1.4.18-7
gnupg2-2.0.26-6
gnupg-agent-2.0.26-6
But at least I know now what not to do to keep it working. :-)
cheers,
raf
From the2nd at otpme.org Wed Dec 2 12:36:02 2015
From: the2nd at otpme.org (the2nd at otpme.org)
Date: Wed, 02 Dec 2015 12:36:02 +0100
Subject: scdaemon lockup with Yubikey NEO
In-Reply-To: <1449040568.9848.1.camel@fsij.org>
References:
<3a3ecea4beb0c02bc963be57ee991b06@otpme.org>
<565D1F33.4090206@fsij.org>
<7e34851165fa63d62952f2a66440e567@otpme.org>
<1449040568.9848.1.camel@fsij.org>
Message-ID: <87641f45c044ba0aaecd7669ae979cd2@otpme.org>
Hi,
here is the output for a failed session and a working one (with openssh
6.7p1).
Both times i started two ssh sessions, keeping the first one open.
Failed
gpg-agent.log - http://paste.ubuntu.com/13620856/
scd.log - http://paste.ubuntu.com/13620863/
OK
gpg-agent.log - http://paste.ubuntu.com/13621007/
scd.log - http://paste.ubuntu.com/13621013/
I am unsure if it is yubikey specific but as it is working with older
openssh versions i guess its some bug thats related to any openssh
changes.
The log always shows "error getting default authentication keyID of
card: Conflicting use" when the problem occurs.
If you say that this is not a gnupg issue i'll ask the yubico folks.
But it would be really great to get any hint what could be the problem
from someone who is familiar with the technical details. :)
regards
the2nd
On 2015-12-02 08:16, NIIBE Yutaka wrote:
> On 2015-12-01 at 11:55 +0100, the2nd at otpme.org wrote:
>> There is just one gpg-agent + scdaemon.
>
> OK.
>
>> Do you keep the first SSH session open when re-plugging the yubikey?
>
> I don't use Yubikey.??I use OpenPGPcard with card reader and Gnuk
> Token.??If you think your problem is Yubikey specific, it would be
> good to ask Yubikey community.
>
> I keep the SSH session when I remove my token, re-insert it and.??I
> also tried with the setting of 'ForwardAgent yes' in .ssh/config and
> used SSH to another remote host.??But I can't reproduce.
>
> To debug your situation, please add 'verbose' in your
> .gnupg/gpg-agent.conf and create a file .gnupg/scdaemon.conf with:
>
> =====================
> debug-level guru
> debug-all
> log-file /tmp/scd.log
> =====================
>
> Before your experiment, please set your PIN by default one, because
> the scd.log file will include your PIN information.
From gniibe at fsij.org Wed Dec 2 14:26:29 2015
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Wed, 02 Dec 2015 22:26:29 +0900
Subject: scdaemon lockup with Yubikey NEO
In-Reply-To: <87641f45c044ba0aaecd7669ae979cd2@otpme.org>
References:
<3a3ecea4beb0c02bc963be57ee991b06@otpme.org>
<565D1F33.4090206@fsij.org>
<7e34851165fa63d62952f2a66440e567@otpme.org>
<1449040568.9848.1.camel@fsij.org>
<87641f45c044ba0aaecd7669ae979cd2@otpme.org>
Message-ID: <1449062789.2160.3.camel@fsij.org>
On 2015-12-02 at 12:36 +0100, the2nd at otpme.org wrote:
> here is the output for a failed session and a working one (with
> openssh
> 6.7p1).
> Both times i started two ssh sessions, keeping the first one open.
Thank you very much.
> Failed
> gpg-agent.log - http://paste.ubuntu.com/13620856/
There are three connections from SSH:
? (1) handler 0x557c807ec310 for fd 8
? (2) handler 0x557c807eebb0 for fd 10
? (3) handler 0x557c807eeb80 for fd 10 (fd 10 re-used)
??????????????token removed
??????|
??????????????v
???(1) ------------------>
????????(2)-->
???????(3)------>
??????????????????******---- conflicting use
> scd.log - http://paste.ubuntu.com/13620863/
There are two connections from gpg-agent:
? (a) chan_7 from (1)
? (b) chan_9 from (3)
??????????????token removed
??????|
??????????????v
?????(a) ------------------>
????????(b)------>
???????????????????******---- conflicting use
The connection from SSH remains in gpg-agent by some reason.??This is
the reason why the connection from gpg-agent remains in Scdaemon,
which results conflicting use.
Anyway, when Scdaemon detects card/token removal, it could finish
existing connection(s).??I'll consider fixing this.
I don't know the exact reason why connection from SSH remains, though.
> I am unsure if it is yubikey specific but as it is working with older
> openssh versions i guess its some bug thats related to any openssh
> changes.
>From the logs, I don't think it's yubikey specific.
> If you say that this is not a gnupg issue i'll ask the yubico folks.
> But it would be really great to get any hint what could be the
> problem
> from someone who is familiar with the technical details. :)
This is GnuPG issue, specifically, Scdaemon issue.
--
From Jonathan-Harbord at marubeni.com Wed Dec 2 15:29:19 2015
From: Jonathan-Harbord at marubeni.com (Harbord Jonathan-EURITEC)
Date: Wed, 2 Dec 2015 14:29:19 +0000
Subject: Provide user PIN to gpg-agent?
In-Reply-To: <565E6060.3080806@fsij.org>
References:
<565E6060.3080806@fsij.org>
Message-ID:
Niibe-san
Thank you so much for your help! It worked.
I was using gpg4win, which of course does not include v2.1. I need to download the windows version from gnupg.org.
I had some difficulty with the syntax of a windows batch file but eventually succeeded with
gpg-connect-agent.exe --run
Where contained:
OPTION pinentry-mode=loopback
/definqfile PASSPHRASE
SCD CHECKPIN
/bye
And where was the ID of the card from gpg --card-status as you suggested,
and was a file containing the PIN.
Thank you again for your kind advice.
-----Original Message-----
From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of NIIBE Yutaka
Sent: 02 December 2015 03:07
To: gnupg-users at gnupg.org
Subject: Re: Provide user PIN to gpg-agent?
On 12/01/2015 10:50 PM, Harbord Jonathan-EURITEC wrote:
> Is it possible to pass the user PIN of a smartcard to gpg-agent in a command?
>
> I'd like to stop the pinentry program appearing for an automated system.
Please note that I don't have any experience like that, and I don't generally recommend such a usage.
In general, we can provide a special application specific pinentry program for such a special purpose.
In GnuPG 2.1.x, there is allow-loopback-pinentry option. When enabled it by .gnupg/gpg-agent.conf or as an argument invoking gpg-agent, we can do something like:
gpg-connect-agent \
"OPTION pinentry-mode=loopback"
'/definqfile PASSPHRASE /tmp/passphrase-for-smartcard' \
"SCD CHECKPIN " /bye
having a file /tmp/passphrase-for-smartcard, where is the one in the output of 'gpg --card-status' like:
Application ID ...: D276000124010200F517000000010000
Substitute by D276000124010200F517000000010000.
Please try.
--
_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
From the2nd at otpme.org Wed Dec 2 15:35:32 2015
From: the2nd at otpme.org (the2nd at otpme.org)
Date: Wed, 02 Dec 2015 15:35:32 +0100
Subject: scdaemon lockup with Yubikey NEO
In-Reply-To: <1449062789.2160.3.camel@fsij.org>
References:
<3a3ecea4beb0c02bc963be57ee991b06@otpme.org>
<565D1F33.4090206@fsij.org>
<7e34851165fa63d62952f2a66440e567@otpme.org>
<1449040568.9848.1.camel@fsij.org>
<87641f45c044ba0aaecd7669ae979cd2@otpme.org>
<1449062789.2160.3.camel@fsij.org>
Message-ID: <974725082684833653e68c6ca4fe7ee9@otpme.org>
On 2015-12-02 14:26, NIIBE Yutaka wrote:
> On 2015-12-02 at 12:36 +0100, the2nd at otpme.org wrote:
>> here is the output for a failed session and a working one (with
>> openssh
>> 6.7p1).
>> Both times i started two ssh sessions, keeping the first one open.
>
> Thank you very much.
No problem. I'm glad to help out and probably get a fix for this
annoying issue. :)
>
>
>> Failed
>> gpg-agent.log - http://paste.ubuntu.com/13620856/
>
> There are three connections from SSH:
>
> ? (1) handler 0x557c807ec310 for fd 8
> ? (2) handler 0x557c807eebb0 for fd 10
> ? (3) handler 0x557c807eeb80 for fd 10 (fd 10 re-used)
>
> ??????????????token removed
> ??????|
> ??????????????v
> ???(1) ------------------>
> ????????(2)-->
> ???????(3)------>
> ??????????????????******---- conflicting use
>
>> scd.log - http://paste.ubuntu.com/13620863/
>
> There are two connections from gpg-agent:
>
> ? (a) chan_7 from (1)
> ? (b) chan_9 from (3)
>
> ??????????????token removed
> ??????|
> ??????????????v
> ?????(a) ------------------>
> ????????(b)------>
> ???????????????????******---- conflicting use
>
>
> The connection from SSH remains in gpg-agent by some reason.??This is
> the reason why the connection from gpg-agent remains in Scdaemon,
> which results conflicting use.
>
> Anyway, when Scdaemon detects card/token removal, it could finish
> existing connection(s).??I'll consider fixing this.
Sounds good. Should i open a bug report for this?
>
> I don't know the exact reason why connection from SSH remains, though.
>
>> I am unsure if it is yubikey specific but as it is working with older
>> openssh versions i guess its some bug thats related to any openssh
>> changes.
>
> From the logs, I don't think it's yubikey specific.
>
>> If you say that this is not a gnupg issue i'll ask the yubico folks.
>> But it would be really great to get any hint what could be the
>> problem
>> from someone who is familiar with the technical details. :)
>
> This is GnuPG issue, specifically, Scdaemon issue.
Is there any workaround we can apply to fix this issue? Currently i am
using a self compiled ssh client binary of openssh 6.7p1 as workaround.
Thanks a lot for your help.
Regards
the2nd
From Cathy.Smith at pnnl.gov Wed Dec 2 21:12:55 2015
From: Cathy.Smith at pnnl.gov (Smith, Cathy)
Date: Wed, 2 Dec 2015 20:12:55 +0000
Subject: question about gpg2 and passphrase
Message-ID:
I need to be able to decrypt a file using gpg2 in batch. I have a customer who requires us to provide a public key that is RSA 2048 bit. I have RHEL6 available which provides gpg 2.0.14 to create the key pair. However, I?ve not been able to use gpg2 in batch to provide the passphrase to decrypt a file. It wants an interactive prompt for the passphrase. I?ve tried some things that I?ve read on-line without any success. Is there a way to configure gpg2 to accept a passphrase in batch?
Thanks for your help.
Cathy
--
Cathy L. Smith
IT Engineer, CISSP
Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy
Phone: 509.375.2687
Fax: 509.375.4399
Email: cathy.smith at pnnl.gov
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From andrey.od.utkin at gmail.com Thu Dec 3 00:18:23 2015
From: andrey.od.utkin at gmail.com (Andrey Utkin)
Date: Thu, 3 Dec 2015 01:18:23 +0200
Subject: question about gpg2 and passphrase
In-Reply-To:
References:
Message-ID: <565F7C3F.7020801@gmail.com>
On 02.12.2015 22:12, Smith, Cathy wrote:
> I need to be able to decrypt a file using gpg2 in batch. I have a
> customer who requires us to provide a public key that is RSA 2048 bit.
> I have RHEL6 available which provides gpg 2.0.14 to create the key
> pair. However, I?ve not been able to use gpg2 in batch to provide the
> passphrase to decrypt a file. It wants an interactive prompt for the
> passphrase. I?ve tried some things that I?ve read on-line without any
> success. Is there a way to configure gpg2 to accept a passphrase in
> batch?
Hi,
Have you tried generating a key with empty passphrase?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL:
From lists at theflorys.org Thu Dec 3 00:18:46 2015
From: lists at theflorys.org (David)
Date: Wed, 2 Dec 2015 18:18:46 -0500
Subject: Cannot revoke a certificate
Message-ID: <565F7C56.2080901@theflorys.org>
I am trying to revoke a very old certificate that may be compromised. I
generated a revocation certificate using the following gpg command with
no errors. I did get a warning about MD5 being deprecated.
C:\Users\David> gpg --output kill7827.asc --gen-revoke 80942C8D
However, I cannot use it. Here is the output:
C:\Users\David> gpg --import .\kill7827.asc
gpg: Note: signatures using the MD5 algorithm are rejected
gpg: key 80942C8D: invalid revocation certificate: Invalid digest
algorithm - rejected
gpg: error reading `.\\kill7827.asc': Invalid digest algorithm
gpg: import from `.\\kill7827.asc' failed: Invalid digest algorithm
gpg: Total number processed: 0
C:\Users\David>
How do I force gpg to accept the revocation? Or, how do I revoke the
old key?
Win10
GnuPG 2.0.29 (Gpg4Win 2.3.0)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 595 bytes
Desc: OpenPGP digital signature
URL:
From gniibe at fsij.org Thu Dec 3 03:54:27 2015
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Thu, 03 Dec 2015 11:54:27 +0900
Subject: scdaemon lockup with Yubikey NEO
In-Reply-To: <974725082684833653e68c6ca4fe7ee9@otpme.org>
References:
<3a3ecea4beb0c02bc963be57ee991b06@otpme.org>
<565D1F33.4090206@fsij.org>
<7e34851165fa63d62952f2a66440e567@otpme.org>
<1449040568.9848.1.camel@fsij.org>
<87641f45c044ba0aaecd7669ae979cd2@otpme.org>
<1449062789.2160.3.camel@fsij.org>
<974725082684833653e68c6ca4fe7ee9@otpme.org>
Message-ID: <565FAEE3.9030602@fsij.org>
On 12/02/2015 11:35 PM, the2nd at otpme.org wrote:
> No problem. I'm glad to help out and probably get a fix for this annoying issue. :)
Thanks for your patience.
>> Anyway, when Scdaemon detects card/token removal, it could finish
>> existing connection(s). I'll consider fixing this.
>
> Sounds good. Should i open a bug report for this?
Not needed. It's fixed in master. I'm going to backport this to 2.0.
The commit is: f42c50dbf00c2e6298ca6830cbe6d36805fa54a3
> Is there any workaround we can apply to fix this issue? Currently i
> am using a self compiled ssh client binary of openssh 6.7p1 as
> workaround.
Well, I found another bug with PC/SC. Because of this bug, it is
sometimes (not always) possible for gpg not to raise the error of
"Conflicting usage". So, it would be a workaround to disable internal
ccid driver of GnuPG and to use PC/SC. (I don't recommend, though.)
Here is a backport patch which I'm considering to apply to 2.0.
Thank you again for your cooperation fixing this long standing bug.
=========================
diff --git a/scd/apdu.c b/scd/apdu.c
index f9a1a2d..acca799 100644
--- a/scd/apdu.c
+++ b/scd/apdu.c
@@ -3136,7 +3136,13 @@ apdu_close_reader (int slot)
return SW_HOST_NO_DRIVER;
sw = apdu_disconnect (slot);
if (sw)
- return sw;
+ {
+ /*
+ * When the reader/token was removed it might come here.
+ * It should go through to call CLOSE_READER even if we got an error.
+ */
+ log_debug ("apdu_close_reader => 0x%x (apdu_disconnect)\n", sw);
+ }
if (reader_table[slot].close_reader)
return reader_table[slot].close_reader (slot);
return SW_HOST_NOT_SUPPORTED;
diff --git a/scd/app-common.h b/scd/app-common.h
index e48db3c..ac2c2e9 100644
--- a/scd/app-common.h
+++ b/scd/app-common.h
@@ -44,11 +44,6 @@ struct app_ctx_s {
operations the particular function pointer is set to NULL */
unsigned int ref_count;
- /* Flag indicating that a reset has been done for that application
- and that this context is merely lingering and just should not be
- reused. */
- int no_reuse;
-
/* Used reader slot. */
int slot;
diff --git a/scd/app.c b/scd/app.c
index 742f937..380a347 100644
--- a/scd/app.c
+++ b/scd/app.c
@@ -190,9 +190,12 @@ application_notify_card_reset (int slot)
/* FIXME: We are ignoring any error value here. */
lock_reader (slot, NULL);
- /* Mark application as non-reusable. */
+ /* Release the APP, as it's not reusable any more. */
if (lock_table[slot].app)
- lock_table[slot].app->no_reuse = 1;
+ {
+ deallocate_app (lock_table[slot].app);
+ lock_table[slot].app = NULL;
+ }
/* Deallocate a saved application for that slot, so that we won't
try to reuse it. If there is no saved application, set a flag so
@@ -265,16 +268,6 @@ select_application (ctrl_t ctrl, int slot, const char *name, app_t *r_app)
return gpg_error (GPG_ERR_CONFLICT);
}
- /* Don't use a non-reusable marked application. */
- if (app && app->no_reuse)
- {
- unlock_reader (slot);
- log_info ("lingering application `%s' in use by reader %d"
- " - can't switch\n",
- app->apptype? app->apptype:"?", slot);
- return gpg_error (GPG_ERR_CONFLICT);
- }
-
/* If we don't have an app, check whether we have a saved
application for that slot. This is useful so that a card does
not get reset even if only one session is using the card - this
@@ -506,15 +499,7 @@ release_application (app_t app)
if (lock_table[slot].last_app)
deallocate_app (lock_table[slot].last_app);
- if (app->no_reuse)
- {
- /* If we shall not re-use the application we can't save it for
- later use. */
- deallocate_app (app);
- lock_table[slot].last_app = NULL;
- }
- else
- lock_table[slot].last_app = lock_table[slot].app;
+ lock_table[slot].last_app = lock_table[slot].app;
lock_table[slot].app = NULL;
unlock_reader (slot);
}
--
From gnupg at raf.org Thu Dec 3 04:07:06 2015
From: gnupg at raf.org (gnupg at raf.org)
Date: Thu, 3 Dec 2015 14:07:06 +1100
Subject: question about gpg2 and passphrase
In-Reply-To: <565F7C3F.7020801@gmail.com>
References: <565F7C3F.7020801@gmail.com>
Message-ID: <20151203030706.GA2875@raf.org>
Andrey Utkin wrote:
> On 02.12.2015 22:12, Smith, Cathy wrote:
> > I need to be able to decrypt a file using gpg2 in batch. I have a
> > customer who requires us to provide a public key that is RSA 2048 bit.
> > I have RHEL6 available which provides gpg 2.0.14 to create the key
> > pair. However, I?ve not been able to use gpg2 in batch to provide the
> > passphrase to decrypt a file. It wants an interactive prompt for the
> > passphrase. I?ve tried some things that I?ve read on-line without any
> > success. Is there a way to configure gpg2 to accept a passphrase in
> > batch?
>
> Hi,
> Have you tried generating a key with empty passphrase?
Hi,
Warning: I am not an expert. I only just found out how to do this myself.
If it needs to always work with no intervention and it's safe to leave the
key unencrypted on disk permanently (unlikely) then having an empty
passphrase is definitely the easy option but if you can't leave the key
unencrypted on disk and decryption only needs to occur at certain known
times, and it's OK to have someone supply the passphrase in advance, then
the following approach might be more appropriate.
You can run gpg-agent explicitly as a daemon and use the
--allow-preset-passphrase option and then use gpg-preset-passphrase to load
a passphrase into it.
The gpg-agent command will probably also need the --write-env-file option to
store the gpg-agent socket details on disk so other, unrelated processes can
connect to the gpg-agent.
Here's an example gpg-agent command:
$ gpg-agent \
> --homedir /PATH/TO/.gnupg \
> --write-env-file /PATH/TO/.gpg-agent-info \
> --allow-preset-passphrase \
> --max-cache-ttl 7200 \
> --daemon -- \
> bash --login
To load the passphrase from within the bash process started above
(the double --fingerprint is important because it shows the key we need):
$ gpg_cache_id="`gpg --homedir /PATH/TO/.gnupg --fingerprint --fingerprint USER at DOMAIN | grep 'Key fingerprint' | tail -1 | sed -e 's/^[^=]\+=//' -e 's/ //g'`"
$ systemd-ask-password 'Enter GPG passphrase:' | /usr/lib/gnupg2/gpg-preset-passphrase --preset "$gpg_cache_id"
To load the passphrase from an unrelated process, you would first need to do
the following to connect to the gpg-agent before loading the passphrase into
gpg-agent as described above:
$ . /PATH/TO/.gpg-agent-info
$ export GPG_AGENT_INFO
The process that needs to perform the decryption would also need to do the
above if it is from a process that is unrelated to the bash process started
by gpg-agent. e.g.:
$ . /PATH/TO/.gpg-agent-info
$ export GPG_AGENT_INFO
# unset GPG_TTY # This is probably unnecessary
$ gpg --batch --quiet --no-greeting --no-tty --use-agent \
> --homedir /PATH/TO/.gnupg --decrypt < ENCRYPTEDFILE > DECRYPTEDFILE
Note that the passphrase will stay resident in gpg-agent until gpg-agent
terminates, or until it is explicitly forgotten with:
/usr/lib/gnupg2/gpg-preset-passphrase --forget "$gpg_cache_id"
or until the max-cache-ttl expires, whichever comes first. By default, this
is 7200 seconds (i.e. two hours) but it can be increased or decreased on the
gpg-agent command line.
It's probably a very bad idea to increase it too much and leave the
passphrase available permanently. If that were OK, you might as well use an
unencrypted key with no passphrase. But if it were OK, there'd be a
gpg-agent option to remove the TTL limit altogether, but there is no such
option.
Notes:
The gpg commands above (--fingerprint and --decrypt) should still work
if they were changed to gpg2. That's probably more sensible since gpg-agent
is a gpg2 thing but gpg works too so I use that.
If you don't have systemd-ask-password, you could use ssh-askpass but
it requires X11. It only takes a few lines of Perl to implement your own
askpass program if needed.
Also, don't set $DISPLAY to be empty before running gpg-preset-passphrase.
If you need to disable X11, unset DISPLAY instead or gpg-preset-passphrase
will give an error:
gpg-preset-passphrase: problem setting the gpg-agent options
gpg-preset-passphrase: caching passphrase failed: Invalid response
Also, the gpg-agent command can be run inside a screen or tmux session so
that you can detach from it and reattach to it again later to terminate it.
Also, I don't know about RHEL6. The above works on debian-8 and ubuntu-14.04.3
which have gpg2 2.0.26 and 2.0.22, respectively. Hopefully, it will all
work on RHEL6 with gpg2 2.0.14 as well.
Good luck,
raf
From lance at lrvick.net Thu Dec 3 04:54:04 2015
From: lance at lrvick.net (Lance R. Vick)
Date: Wed, 2 Dec 2015 19:54:04 -0800
Subject: scdaemon lockup with Yubikey NEO
In-Reply-To: <565FAEE3.9030602@fsij.org>
References:
<3a3ecea4beb0c02bc963be57ee991b06@otpme.org>
<565D1F33.4090206@fsij.org>
<7e34851165fa63d62952f2a66440e567@otpme.org>
<1449040568.9848.1.camel@fsij.org>
<87641f45c044ba0aaecd7669ae979cd2@otpme.org>
<1449062789.2160.3.camel@fsij.org>
<974725082684833653e68c6ca4fe7ee9@otpme.org>
<565FAEE3.9030602@fsij.org>
Message-ID:
I came up with the following udev rule which, while heavy handed, solves
these issues for me: https://gist.github.com/lrvick/d1a5a8e6cf0eefda69d7
On Wed, Dec 2, 2015 at 6:54 PM, NIIBE Yutaka wrote:
> On 12/02/2015 11:35 PM, the2nd at otpme.org wrote:
> > No problem. I'm glad to help out and probably get a fix for this
> annoying issue. :)
>
> Thanks for your patience.
>
> >> Anyway, when Scdaemon detects card/token removal, it could finish
> >> existing connection(s). I'll consider fixing this.
> >
> > Sounds good. Should i open a bug report for this?
>
> Not needed. It's fixed in master. I'm going to backport this to 2.0.
>
> The commit is: f42c50dbf00c2e6298ca6830cbe6d36805fa54a3
>
> > Is there any workaround we can apply to fix this issue? Currently i
> > am using a self compiled ssh client binary of openssh 6.7p1 as
> > workaround.
>
> Well, I found another bug with PC/SC. Because of this bug, it is
> sometimes (not always) possible for gpg not to raise the error of
> "Conflicting usage". So, it would be a workaround to disable internal
> ccid driver of GnuPG and to use PC/SC. (I don't recommend, though.)
>
> Here is a backport patch which I'm considering to apply to 2.0.
>
> Thank you again for your cooperation fixing this long standing bug.
>
> =========================
> diff --git a/scd/apdu.c b/scd/apdu.c
> index f9a1a2d..acca799 100644
> --- a/scd/apdu.c
> +++ b/scd/apdu.c
> @@ -3136,7 +3136,13 @@ apdu_close_reader (int slot)
> return SW_HOST_NO_DRIVER;
> sw = apdu_disconnect (slot);
> if (sw)
> - return sw;
> + {
> + /*
> + * When the reader/token was removed it might come here.
> + * It should go through to call CLOSE_READER even if we got an
> error.
> + */
> + log_debug ("apdu_close_reader => 0x%x (apdu_disconnect)\n", sw);
> + }
> if (reader_table[slot].close_reader)
> return reader_table[slot].close_reader (slot);
> return SW_HOST_NOT_SUPPORTED;
> diff --git a/scd/app-common.h b/scd/app-common.h
> index e48db3c..ac2c2e9 100644
> --- a/scd/app-common.h
> +++ b/scd/app-common.h
> @@ -44,11 +44,6 @@ struct app_ctx_s {
> operations the particular function pointer is set to NULL */
> unsigned int ref_count;
>
> - /* Flag indicating that a reset has been done for that application
> - and that this context is merely lingering and just should not be
> - reused. */
> - int no_reuse;
> -
> /* Used reader slot. */
> int slot;
>
> diff --git a/scd/app.c b/scd/app.c
> index 742f937..380a347 100644
> --- a/scd/app.c
> +++ b/scd/app.c
> @@ -190,9 +190,12 @@ application_notify_card_reset (int slot)
> /* FIXME: We are ignoring any error value here. */
> lock_reader (slot, NULL);
>
> - /* Mark application as non-reusable. */
> + /* Release the APP, as it's not reusable any more. */
> if (lock_table[slot].app)
> - lock_table[slot].app->no_reuse = 1;
> + {
> + deallocate_app (lock_table[slot].app);
> + lock_table[slot].app = NULL;
> + }
>
> /* Deallocate a saved application for that slot, so that we won't
> try to reuse it. If there is no saved application, set a flag so
> @@ -265,16 +268,6 @@ select_application (ctrl_t ctrl, int slot, const char
> *name, app_t *r_app)
> return gpg_error (GPG_ERR_CONFLICT);
> }
>
> - /* Don't use a non-reusable marked application. */
> - if (app && app->no_reuse)
> - {
> - unlock_reader (slot);
> - log_info ("lingering application `%s' in use by reader %d"
> - " - can't switch\n",
> - app->apptype? app->apptype:"?", slot);
> - return gpg_error (GPG_ERR_CONFLICT);
> - }
> -
> /* If we don't have an app, check whether we have a saved
> application for that slot. This is useful so that a card does
> not get reset even if only one session is using the card - this
> @@ -506,15 +499,7 @@ release_application (app_t app)
>
> if (lock_table[slot].last_app)
> deallocate_app (lock_table[slot].last_app);
> - if (app->no_reuse)
> - {
> - /* If we shall not re-use the application we can't save it for
> - later use. */
> - deallocate_app (app);
> - lock_table[slot].last_app = NULL;
> - }
> - else
> - lock_table[slot].last_app = lock_table[slot].app;
> + lock_table[slot].last_app = lock_table[slot].app;
> lock_table[slot].app = NULL;
> unlock_reader (slot);
> }
> --
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
--
Lance R. Vick
__________________________________________________
Cell - 407.283.7596
Gtalk - lance at lrvick.net
Website - http://lrvick.net
PGP Key - http://lrvick.net/0x36C8AAA9.asc
keyserver - subkeys.pgp.net
__________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From andrey.od.utkin at gmail.com Thu Dec 3 05:25:27 2015
From: andrey.od.utkin at gmail.com (Andrey Utkin)
Date: Thu, 3 Dec 2015 06:25:27 +0200
Subject: Why gpg 2.1.9 cannot export secret key without passphrase?
In-Reply-To: <565D7545.60007@digitalbrains.com>
References: <5653BA6F.1040002@gmail.com> <20151127123930.02d71cff@fire>
<56583E47.8090307@digitalbrains.com> <565C9F0F.9000806@gmail.com>
<565CA939.8020308@digitalbrains.com> <565CD38E.4060408@gmail.com>
<565D7545.60007@digitalbrains.com>
Message-ID: <565FC437.2010209@gmail.com>
Thank you for your hints Peter.
The following tiny changes allow exporting and importing to succeed
https://github.com/andrey-utkin/gnupg/commit/a3b539b6ef7c922b1f1f3f343fdc942086d96c4e
Is the approach of using "s2kmode = 0" and "protection sha1" together
correct? Shouldn't "protection none" be used?
--
OpenPGP usage is appreciated (it also helps your letter to bypass spam
filters). To email me with encryption easily, go
https://encrypt.to/0xC6FCDB11
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL:
From the2nd at otpme.org Thu Dec 3 12:04:06 2015
From: the2nd at otpme.org (the2nd at otpme.org)
Date: Thu, 03 Dec 2015 12:04:06 +0100
Subject: scdaemon lockup with Yubikey NEO
In-Reply-To: <565FAEE3.9030602@fsij.org>
References:
<3a3ecea4beb0c02bc963be57ee991b06@otpme.org>
<565D1F33.4090206@fsij.org>
<7e34851165fa63d62952f2a66440e567@otpme.org>
<1449040568.9848.1.camel@fsij.org>
<87641f45c044ba0aaecd7669ae979cd2@otpme.org>
<1449062789.2160.3.camel@fsij.org>
<974725082684833653e68c6ca4fe7ee9@otpme.org> <565FAEE3.9030602@fsij.org>
Message-ID: <8030456070979ca6d09e1d699ffa0279@otpme.org>
On 2015-12-03 03:54, NIIBE Yutaka wrote:
> On 12/02/2015 11:35 PM, the2nd at otpme.org wrote:
>> No problem. I'm glad to help out and probably get a fix for this
>> annoying issue. :)
>
> Thanks for your patience.
>
>>> Anyway, when Scdaemon detects card/token removal, it could finish
>>> existing connection(s). I'll consider fixing this.
>>
>> Sounds good. Should i open a bug report for this?
>
> Not needed. It's fixed in master. I'm going to backport this to 2.0.
>
> The commit is: f42c50dbf00c2e6298ca6830cbe6d36805fa54a3
>
>> Is there any workaround we can apply to fix this issue? Currently i
>> am using a self compiled ssh client binary of openssh 6.7p1 as
>> workaround.
>
> Well, I found another bug with PC/SC. Because of this bug, it is
> sometimes (not always) possible for gpg not to raise the error of
> "Conflicting usage". So, it would be a workaround to disable internal
> ccid driver of GnuPG and to use PC/SC. (I don't recommend, though.)
>
> Here is a backport patch which I'm considering to apply to 2.0.
>
> Thank you again for your cooperation fixing this long standing bug.
Thank your for fixing it. :)
Currently i will use the udev rule workaround from Lance.
Is there any automatism that informs e.g. debian/ubuntu folks about such
a backported fix?
Does it make sense to open a debian/ubuntu bug report for this with
reference to this thread?
>
> =========================
> diff --git a/scd/apdu.c b/scd/apdu.c
> index f9a1a2d..acca799 100644
> --- a/scd/apdu.c
> +++ b/scd/apdu.c
> @@ -3136,7 +3136,13 @@ apdu_close_reader (int slot)
> return SW_HOST_NO_DRIVER;
> sw = apdu_disconnect (slot);
> if (sw)
> - return sw;
> + {
> + /*
> + * When the reader/token was removed it might come here.
> + * It should go through to call CLOSE_READER even if we got an
> error.
> + */
> + log_debug ("apdu_close_reader => 0x%x (apdu_disconnect)\n", sw);
> + }
> if (reader_table[slot].close_reader)
> return reader_table[slot].close_reader (slot);
> return SW_HOST_NOT_SUPPORTED;
> diff --git a/scd/app-common.h b/scd/app-common.h
> index e48db3c..ac2c2e9 100644
> --- a/scd/app-common.h
> +++ b/scd/app-common.h
> @@ -44,11 +44,6 @@ struct app_ctx_s {
> operations the particular function pointer is set to NULL */
> unsigned int ref_count;
>
> - /* Flag indicating that a reset has been done for that application
> - and that this context is merely lingering and just should not be
> - reused. */
> - int no_reuse;
> -
> /* Used reader slot. */
> int slot;
>
> diff --git a/scd/app.c b/scd/app.c
> index 742f937..380a347 100644
> --- a/scd/app.c
> +++ b/scd/app.c
> @@ -190,9 +190,12 @@ application_notify_card_reset (int slot)
> /* FIXME: We are ignoring any error value here. */
> lock_reader (slot, NULL);
>
> - /* Mark application as non-reusable. */
> + /* Release the APP, as it's not reusable any more. */
> if (lock_table[slot].app)
> - lock_table[slot].app->no_reuse = 1;
> + {
> + deallocate_app (lock_table[slot].app);
> + lock_table[slot].app = NULL;
> + }
>
> /* Deallocate a saved application for that slot, so that we won't
> try to reuse it. If there is no saved application, set a flag so
> @@ -265,16 +268,6 @@ select_application (ctrl_t ctrl, int slot, const
> char *name, app_t *r_app)
> return gpg_error (GPG_ERR_CONFLICT);
> }
>
> - /* Don't use a non-reusable marked application. */
> - if (app && app->no_reuse)
> - {
> - unlock_reader (slot);
> - log_info ("lingering application `%s' in use by reader %d"
> - " - can't switch\n",
> - app->apptype? app->apptype:"?", slot);
> - return gpg_error (GPG_ERR_CONFLICT);
> - }
> -
> /* If we don't have an app, check whether we have a saved
> application for that slot. This is useful so that a card does
> not get reset even if only one session is using the card - this
> @@ -506,15 +499,7 @@ release_application (app_t app)
>
> if (lock_table[slot].last_app)
> deallocate_app (lock_table[slot].last_app);
> - if (app->no_reuse)
> - {
> - /* If we shall not re-use the application we can't save it for
> - later use. */
> - deallocate_app (app);
> - lock_table[slot].last_app = NULL;
> - }
> - else
> - lock_table[slot].last_app = lock_table[slot].app;
> + lock_table[slot].last_app = lock_table[slot].app;
> lock_table[slot].app = NULL;
> unlock_reader (slot);
> }
From peter at digitalbrains.com Thu Dec 3 15:15:59 2015
From: peter at digitalbrains.com (Peter Lebbing)
Date: Thu, 03 Dec 2015 15:15:59 +0100
Subject: Why gpg 2.1.9 cannot export secret key without passphrase?
In-Reply-To: <565FC437.2010209@gmail.com>
References: <5653BA6F.1040002@gmail.com> <20151127123930.02d71cff@fire>
<56583E47.8090307@digitalbrains.com> <565C9F0F.9000806@gmail.com>
<565CA939.8020308@digitalbrains.com> <565CD38E.4060408@gmail.com>
<565D7545.60007@digitalbrains.com> <565FC437.2010209@gmail.com>
Message-ID: <56604E9F.6070504@digitalbrains.com>
On 03/12/15 05:25, Andrey Utkin wrote:
> Is the approach of using "s2kmode = 0" and "protection sha1" together
> correct? Shouldn't "protection none" be used?
Why is all this hackery necessary? Why don't you just install GnuPG 1.4
next to your 2.1, instead of compiling a special hacked 2.1?
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
From wk at gnupg.org Fri Dec 4 14:06:49 2015
From: wk at gnupg.org (Werner Koch)
Date: Fri, 04 Dec 2015 14:06:49 +0100
Subject: [Announce] GnuPG 2.1.10 released
Message-ID: <878u5al5w6.fsf@vigenere.g10code.de>
Hello!
The GnuPG team is pleased to announce the availability of a new release
of GnuPG modern: Version 2.1.10. The main features of this release are
support for TOFU (Trust-On-First-Use) and anonymous key retrieval via
Tor.
The GNU Privacy Guard (GnuPG) is a complete and free implementation
of the OpenPGP standard which is commonly abbreviated as PGP.
GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories. GnuPG itself is a command line tool with features for easy
integration with other applications. A wealth of frontend applications
and libraries making use of GnuPG are available. Since version 2 GnuPG
provides support for S/MIME and Secure Shell in addition to OpenPGP.
GnuPG is Free Software (meaning that it respects your freedom). It can
be freely used, modified and distributed under the terms of the GNU
General Public License.
Three different branches of GnuPG are actively maintained:
- GnuPG "modern" (2.1) is the latest development with a lot of new
features. This announcement is about this branch.
- GnuPG "stable" (2.0) is the current stable version for general use.
This is what most users are currently using.
- GnuPG "classic" (1.4) is the old standalone version which is most
suitable for older or embedded platforms.
You may not install "modern" (2.1) and "stable" (2.0) at the same
time. However, it is possible to install "classic" (1.4) along with
any of the other versions.
Noteworthy changes in version 2.1.10
====================================
* gpg: New trust models "tofu" and "tofu+pgp".
* gpg: New command --tofu-policy. New options --tofu-default-policy
and --tofu-db-format.
* gpg: New option --weak-digest to specify hash algorithms which
should be considered weak.
* gpg: Allow the use of multiple --default-key options; take the last
available key.
* gpg: New option --encrypt-to-default-key.
* gpg: New option --unwrap to only strip the encryption layer.
* gpg: New option --only-sign-text-ids to exclude photo IDs from key
signing.
* gpg: Check for ambigious or non-matching key specification in the
config file or given to --encrypt-to.
* gpg: Show the used card reader with --card-status.
* gpg: Print export statistics and an EXPORTED status line.
* gpg: Allow selecting subkeys by keyid in --edit-key.
* gpg: Allow updating the expiration time of multiple subkeys at
once.
* dirmngr: New option --use-tor. For full support this requires
libassuan version 2.4.2 and a patched version of libadns
(e.g. adns-1.4-g10-7 as used by the standard Windows installer).
* dirmngr: New option --nameserver to specify the nameserver used in
Tor mode.
* dirmngr: Keyservers may again be specified by IP address.
* dirmngr: Fixed problems in resolving keyserver pools.
* dirmngr: Fixed handling of premature termination of TLS streams so
that large numbers of keys can be refreshed via hkps.
* gpg: Fixed a regression in --locate-key [since 2.1.9].
* gpg: Fixed another bug for keyrings with legacy keys.
* gpgsm: Allow combinations of usage flags in --gen-key.
* Make tilde expansion work with most options.
* Many other cleanups and bug fixes.
A detailed description of the changes found in the 2.1 branch can be
found at .
Please be aware that there are still known bugs which we are working on.
Check https://bugs.gnupg.org, https://wiki.gnupg.org, and the mailing
list archives for known problems and workarounds.
Getting the Software
====================
Please follow the instructions found at or
read on:
GnuPG 2.1.10 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server. The list of mirrors can be found
at . Note that GnuPG is not available
at ftp.gnu.org.
The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.10.tar.bz2 (5052k)
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.10.tar.bz2.sig
or here:
https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.10.tar.bz2 (5052k)
https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.10.tar.bz2.sig
An installer for Windows without any graphical frontend except for a
basic Pinentry tool is available here:
ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.10_20151204.exe (2617k)
ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.10_20151204.exe.sig
or here
https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.10_20151204.exe (2617k)
https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.10_20151204.exe.sig
The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix. This Windows installer is missing
translations, it has no TOFU support and no HKPS support. However, it
fully supports Tor and the Tor browser.
Checking the Integrity
======================
In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:
* If you already have a version of GnuPG installed, you can simply
verify the supplied signature. For example to verify the signature
of the file gnupg-2.1.10.tar.bz2 you would use this command:
gpg --verify gnupg-2.1.10.tar.bz2.sig gnupg-2.1.10.tar.bz2
This checks whether the signature file matches the source file.
You should see a message indicating that the signature is good and
made by one or more of the release signing keys. Make sure that
this is a valid key, either by matching the shown fingerprint
against a trustworthy list of valid release signing keys or by
checking that the key has been signed by trustworthy other keys.
See below for information on the signing keys.
* If you are not able to use an existing version of GnuPG, you have
to verify the SHA-1 checksum. On Unix systems the command to do
this is either "sha1sum" or "shasum". Assuming you downloaded the
file gnupg-2.1.10.tar.bz2, you run the command like this:
sha1sum gnupg-2.1.10.tar.bz2
and check that the output matches the next line:
4aa2594d2d364fe7708a9739ae7cebd251e536c4 gnupg-2.1.10.tar.bz2
b86b642390e1bf1b144b84dfabdcd574a56c0ba8 gnupg-w32-2.1.10_20151204.exe
2923d56ac5288570b5503c3038081dc28e6294cd gnupg-w32-2.1.10_20151204.tar.xz
Release Signing Keys
====================
To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarballs and
binary versions. The keys are also signed by the long term keys of
their respective owners. Current releases are signed by one or more
of these four keys:
2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31]
Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6
Werner Koch (dist sig)
rsa2048/E0856959 2014-10-29 [expires: 2019-12-31]
Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959
David Shaw (GnuPG Release Signing Key)
rsa2048/33BD3F06 2014-10-29 [expires: 2016-10-28]
Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06
NIIBE Yutaka (GnuPG Release Key)
rsa2048/7EFD60D9 2014-10-19 [expires: 2020-12-31]
Key fingerprint = D238 EA65 D64C 67ED 4C30 73F2 8A86 1B1C 7EFD 60D9
Werner Koch (Release Signing Key)
You may retrieve these keys from a keyserver using this command
gpg --keyserver hkp://keys.gnupg.net --recv-keys \
249B39D24F25E3B6 04376F3EE0856959 \
2071B08A33BD3F06 8A861B1C7EFD60D9
The keys are also available at https://gnupg.org/signature_key.html and
in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
Note that this mail has been signed by a different key.
Internationalization
====================
This version of GnuPG has support for 26 languages with Chinese,
Czech, French, German, Japanese, Russian, and Ukrainian being almost
completely translated (2111 different strings).
Documentation
=============
If you used GnuPG in the past you should read the description of
changes and new features at doc/whats-new-in-2.1.txt or online at
https://gnupg.org/faq/whats-new-in-2.1.html
The file gnupg.info has the complete user manual of the system.
Separate man pages are included as well but they have not all the
details available as are the manual. It is also possible to read the
complete manual online in HTML format at
https://gnupg.org/documentation/manuals/gnupg/
or in Portable Document Format at
https://gnupg.org/documentation/manuals/gnupg.pdf .
The chapters on gpg-agent, gpg and gpgsm include information on how
to set up the whole thing. You may also want search the GnuPG mailing
list archives or ask on the gnupg-users mailing lists for advise on
how to solve problems. Many of the new features are around for
several years and thus enough public knowledge is already available.
You may also want to follow postings at .
Support
========
Please consult the archive of the gnupg-users mailing list before
reporting a bug .
We suggest to send bug reports for a new release to this list in favor
of filing a bug at . For commercial support
requests we keep a list of known service companies at:
https://gnupg.org/service.html
If you are a developer and you need a certain feature for your project,
please do not hesitate to bring it to the gnupg-devel mailing list for
discussion.
Maintenance and development of GnuPG is mostly financed by donations.
As of today we employ 3 full-time developers, one part-timer, and one
contractor. They all work on GnuPG and closely related software like
Enigmail. Please see
https://gnupg.org/donate/
on how you can help.
Thanks
======
We have to thank all the people who helped with this release, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word, answering questions on the mailing
lists, and donating money.
For the GnuPG hackers,
Werner
p.s.
This is an announcement only mailing list. Please send replies only to
the gnupg-users'at'gnupg.org mailing list.
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 180 bytes
Desc: not available
URL:
-------------- next part --------------
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce
From andrey.od.utkin at gmail.com Sun Dec 6 21:41:48 2015
From: andrey.od.utkin at gmail.com (Andrey Utkin)
Date: Sun, 6 Dec 2015 22:41:48 +0200
Subject: Why gpg 2.1.9 cannot export secret key without passphrase?
In-Reply-To: <56604E9F.6070504@digitalbrains.com>
References: <5653BA6F.1040002@gmail.com> <20151127123930.02d71cff@fire>
<56583E47.8090307@digitalbrains.com> <565C9F0F.9000806@gmail.com>
<565CA939.8020308@digitalbrains.com> <565CD38E.4060408@gmail.com>
<565D7545.60007@digitalbrains.com> <565FC437.2010209@gmail.com>
<56604E9F.6070504@digitalbrains.com>
Message-ID: <56649D8C.5070204@gmail.com>
Just for note.
This can be worked around the following way (works in both 1.4 and 2.1,
didn't test in 2.0).
1. Export key, giving any non-empty passphrase.
2. Import key on new location supposed for automated key usage.
3. `gpg --edit-key `, there type "passwd", enter old passphrase,
enter empty line twice, strike Ctrl+D, confirm changes saving. This
works identically in both 1.4 and 2.1.
If importing location has no capability of passphrase changing
(--edit-key) - e.g. Android Open Keychain - import it to 1.4 keychain,
then export it, it will let you export it without passphrase (won't even
ask for it).
Thank you Peter for pointing out that this is solvable without fixing
the issue in code, but your suggested solution wasn't enough, so I had
to go a few steps further :)
I'd like to state this explicitly (due to rational point made by Peter)
that the link to my private GnuPG git fork with a patch is not supposed
a working solution - it is an experimental work in progress which is not
assured for being interoperable. It is a fruit of uneducated reckless
tinkering with original code.
--
OpenPGP usage is appreciated (it also helps your letter to bypass spam
filters). To email me with encryption easily, go
https://encrypt.to/0xC6FCDB11
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL:
From darkpenguin at yandex.ru Sat Dec 5 20:33:36 2015
From: darkpenguin at yandex.ru (Dark Penguin)
Date: Sat, 05 Dec 2015 22:33:36 +0300
Subject: GPA - unsupported certificate
Message-ID: <56633C10.2050203@yandex.ru>
I wanted to report a few bugs in GPA that I've been getting on Debian
Squeeze, but I thought I should check if they still exist in the latest
version. So, I've installed Debian Jessie and got the latest release
(0.9.9) to see if there was any improvement since few years ago.
So, I start "gpa". The first thing I see is the Key Manager window and
an invitation to create a new key. On top of it, an error message
("Unsupported certificate") pops up immediately; on top of this message,
"GnuPG is rebuilding the trust database", which "might take a few
seconds", but takes forever.
I tried to wait, but in the end I just had to close the "trust database"
popup and the "Unsupported certificate" error message. then I proceeded
with generating a new key, and made sure all those old bugs are still
there. And what's more, every time I open the Key Manager window, the
"Unsupported certificate" error pops up again, and there are no keys in
the Key Manager. Not even the one I've created.
Are those really bugs or am I doing something wrong?.. I've tried that
on an Ubuntu 14.04 LTS livecd right after booting it up, to see if it
works on one of the most popular distributions, but all the problems
were exactly the same.
So, the problems are there on Debian Jessie with 3.16 kernel, gpa
0.9.5/0.9.9 and gpg 1.4.18/2.0.26 and Ubuntu 14.04 LTS with 3.19 kernel,
gpa 0.9.4-1 and gpg 1.4.16/2.0.22. (I didn't upgrade Ubuntu before
trying. Also, seems like GPA uses the gpg2-branch, but does it really
call upon gpg2 and not old gpg, which is hardly possible to remove from
the system without breaking a LOT of dependencies like APT?..) Should I
go on and submit all those things as bug reports, or am I missing
something important here?.. Seriously, things don't work out of the box
and nobody has even noticed?.. I just have a hard time believing it...
--
darkpenguin
From 2014-667rhzu3dc-lists-groups at riseup.net Mon Dec 7 01:05:51 2015
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Mon, 7 Dec 2015 00:05:51 +0000
Subject: [Announce] GnuPG 2.1.10 released
In-Reply-To: <878u5al5w6.fsf@vigenere.g10code.de>
References: <878u5al5w6.fsf@vigenere.g10code.de>
Message-ID: <566683204.20151207000551@my_localhost>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi
On Friday 4 December 2015 at 1:06:49 PM, in
, Werner Koch wrote:
> * gpg: New trust models "tofu" and "tofu+pgp".
> * gpg: New command --tofu-policy. New options
> --tofu-default-policy and --tofu-db-format.
Should these be available in the Windows version? I get:-
gpg: unknown trust model 'tofu+pgp'
gpg: unknown TOFU policy 'ask'
- --
Best regards
MFPA
Change is inevitable except from a vending machine
-----BEGIN PGP SIGNATURE-----
iL4EARYKAGYFAlZkzXhfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eOShOgD+PS7gpG9jvlZZ+H614lQssEnU
5J21RGZTUFacn6p8SIoBAKQ644pI8D6al175S6TeCyC6bKvDbJbN1oM5gu466KYD
iQF8BAEBCgBmBQJWZM1/XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwLjEH+wbJELVCp1tv5KYZaM7w3rzv
BrrTTDzEaz8vIE2ig0+Jc64h1eTQb9Mqvi3nMgfmbCdBJ1IAES0yOdcBDwFUZMu1
l4vkjUaP5qFWIOi+eHCwetFwf98G2NRsJ4AH/tj9mW8a6Z/7ajqb7wlYmHLGp40e
h5qsSVQnhpxh9UaftQYClcY+mXkIlfuF7iMrxO/U4KO0I39zdzUchAxDphA8ExVX
zVgSJ9O/KY0blOtoGFTT+0hrZ97wxlCYcQhwl1V7Lt2olH8jPGHJ0EsfC70EDBlq
hIQcLfGH3QmxxfH81AHW0p3Ce5Yu2nGByRULaAUUnZPw4D2WW933dVY5f23QUkM=
=5blg
-----END PGP SIGNATURE-----
From david at gbenet.com Mon Dec 7 01:24:55 2015
From: david at gbenet.com (david at gbenet.com)
Date: Mon, 7 Dec 2015 00:24:55 +0000
Subject: GPA - unsupported certificate
In-Reply-To: <56633C10.2050203@yandex.ru>
References: <56633C10.2050203@yandex.ru>
Message-ID: <5664D1D7.9050101@gbenet.com>
On 05/12/15 19:33, Dark Penguin wrote:
> I wanted to report a few bugs in GPA that I've been getting on Debian Squeeze, but I thought
> I should check if they still exist in the latest version. So, I've installed Debian Jessie
> and got the latest release (0.9.9) to see if there was any improvement since few years ago.
>
> So, I start "gpa". The first thing I see is the Key Manager window and an invitation to
> create a new key. On top of it, an error message ("Unsupported certificate") pops up
> immediately; on top of this message, "GnuPG is rebuilding the trust database", which "might
> take a few seconds", but takes forever.
>
> I tried to wait, but in the end I just had to close the "trust database" popup and the
> "Unsupported certificate" error message. then I proceeded with generating a new key, and
> made sure all those old bugs are still there. And what's more, every time I open the Key
> Manager window, the "Unsupported certificate" error pops up again, and there are no keys in
> the Key Manager. Not even the one I've created.
>
> Are those really bugs or am I doing something wrong?.. I've tried that on an Ubuntu 14.04
> LTS livecd right after booting it up, to see if it works on one of the most popular
> distributions, but all the problems were exactly the same.
>
> So, the problems are there on Debian Jessie with 3.16 kernel, gpa 0.9.5/0.9.9 and gpg
> 1.4.18/2.0.26 and Ubuntu 14.04 LTS with 3.19 kernel, gpa 0.9.4-1 and gpg 1.4.16/2.0.22. (I
> didn't upgrade Ubuntu before trying. Also, seems like GPA uses the gpg2-branch, but does it
> really call upon gpg2 and not old gpg, which is hardly possible to remove from the system
> without breaking a LOT of dependencies like APT?..) Should I go on and submit all those
> things as bug reports, or am I missing something important here?.. Seriously, things don't
> work out of the box and nobody has even noticed?.. I just have a hard time believing it...
>
>
Hi Dark Penguin,
The first thing to say is - when installing any Linux distro you need to ensure that the
distro has installed every software update every security fix first. This is important when
installing GPA Kleopatra and KGPG.
Every Linux distro has gnupg installed - so at a terminal just type gpg - this will create
ALL the folders and files needed (.gnupg) it's pointless installing GPA without running gpg
first - I think it's pretty silly.
Then you may wish to install gpgv2 via the package manager. Only then install GPA Kleopatra
or KGPG. And only after installing all the updates and security fixes.
Once you have done this you can use any of the packages to create a set of keys - GPA
Kleopatra or Kgpg.
There are no bugs in GPA - all these programmes expect to find a valid existing .gnupg
David
There are no bugs in GPA
--
?See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the
kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No
delusion.? https://linuxcounter.net/user/512854.html - http://gbenet.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL:
From neal at walfield.org Mon Dec 7 10:04:58 2015
From: neal at walfield.org (Neal H. Walfield)
Date: Mon, 07 Dec 2015 10:04:58 +0100
Subject: [Announce] GnuPG 2.1.10 released
In-Reply-To: <566683204.20151207000551@my_localhost>
References: <878u5al5w6.fsf@vigenere.g10code.de>
<566683204.20151207000551@my_localhost>
Message-ID: <87a8pm1vet.wl-neal@walfield.org>
On Mon, 07 Dec 2015 01:05:51 +0100,
MFPA wrote:
> > * gpg: New trust models "tofu" and "tofu+pgp".
>
> > * gpg: New command --tofu-policy. New options
> > --tofu-default-policy and --tofu-db-format.
>
> Should these be available in the Windows version? I get:-
>
> gpg: unknown trust model 'tofu+pgp'
> gpg: unknown TOFU policy 'ask'
TOFU depends on libsqlite, which you are probably missing. If GnuPG
doesn't find it, then it disables TOFU. Can you check whether this is
the case?
Thanks!
:) Neal
From wk at gnupg.org Mon Dec 7 11:06:49 2015
From: wk at gnupg.org (Werner Koch)
Date: Mon, 07 Dec 2015 11:06:49 +0100
Subject: [Announce] GnuPG 2.1.10 released
In-Reply-To: <566683204.20151207000551@my_localhost> (MFPA's message of "Mon,
7 Dec 2015 00:05:51 +0000")
References: <878u5al5w6.fsf@vigenere.g10code.de>
<566683204.20151207000551@my_localhost>
Message-ID: <87h9juefnq.fsf@vigenere.g10code.de>
On Mon, 7 Dec 2015 01:05, 2014-667rhzu3dc-lists-groups at riseup.net said:
> Should these be available in the Windows version? I get:-
>
> gpg: unknown trust model 'tofu+pgp'
> gpg: unknown TOFU policy 'ask'
Have a look into the announcement:
The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix. This Windows installer is missing
translations, it has no TOFU support and no HKPS support. However, it
^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^
fully supports Tor and the Tor browser.
The reason for the missing Tofu support is that we need to package
Sqlite in a way to make it easy to cross-compile for Windows. It is
just a bit of work but other things have higher priority for now than
Windows.
HPKS support is missing because out NTBTLS library is not yet ready. We
want to use that small footprint library to avoid the huge overhead of
installing GNUTLS with all its dependencies on Windows which duplicates
most of our crypto code since GNUTLS switched to another crypto library.
However, installing Tor and using an .onion keyserver is anyway a better
option for OpenPGP keys.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From peter at digitalbrains.com Mon Dec 7 11:41:16 2015
From: peter at digitalbrains.com (Peter Lebbing)
Date: Mon, 07 Dec 2015 11:41:16 +0100
Subject: GPA - unsupported certificate
In-Reply-To: <5664D1D7.9050101@gbenet.com>
References: <56633C10.2050203@yandex.ru> <5664D1D7.9050101@gbenet.com>
Message-ID: <5665624C.3010501@digitalbrains.com>
On 07/12/15 01:24, david at gbenet.com wrote:
> Every Linux distro has gnupg installed - so at a terminal just type gpg -
> this will create ALL the folders and files needed (.gnupg) it's pointless
> installing GPA without running gpg first - I think it's pretty silly.
Eh? I don't find it silly at all. Why would someone, unprompted, fire up a
terminal to initialise the GUI program they installed because they'd rather
use a GUI program than a terminal program? That's like saying you should fire
up Vim before you can use XFCE's Mousepad editor. Well, not really, but it's
still silly to suggest that it is silly to expect a GUI program to do what it
is supposed to do: pretty much replace the command line alternative. Wow, long
complicated sentence. Better end with sentence fragments to compensate.
Anyway, a quick glance at the open bugs for GPA in Jessie[1] show that it is a
problem for people, but developers have difficulty reproducing it. In fact,
those bugs are still open in Sid.
That is, apart from the well-known issue: GNOME Keyring hijacks the agent
connection, which causes all sorts of problems. Up until recently, they were
unwilling to stop breaking GnuPG this way; but recently, they've finally
agreed to provide their functionality in a different way that actually agrees
with the GnuPG architecture.
GPA will get very confused when GNOME Keyring hijacks the agent connection.
For me, Debian Jessie x86_64 with XFCE, I'm pretty sure I fixed it with
"Settings -> Session and Startup", "Application Autostart", uncheck the box
next to "GPG Password Agent (GNOME Keyring: GPG Agent)". But a search on the
web for disabling GNOME Keyring's GPG Agent should provide more information.
HTH,
Peter.
[1] https://bugs.debian.org/cgi-bin/pkgreport.cgi?package=gpa;dist=stable
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
From dkg at fifthhorseman.net Mon Dec 7 13:56:03 2015
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 07 Dec 2015 07:56:03 -0500
Subject: Cannot revoke a certificate
In-Reply-To: <565F7C56.2080901@theflorys.org>
References: <565F7C56.2080901@theflorys.org>
Message-ID: <8737vexvrw.fsf@alice.fifthhorseman.net>
On Wed 2015-12-02 18:18:46 -0500, David wrote:
> I am trying to revoke a very old certificate that may be compromised. I
> generated a revocation certificate using the following gpg command with
> no errors. I did get a warning about MD5 being deprecated.
>
> C:\Users\David> gpg --output kill7827.asc --gen-revoke 80942C8D
>
> However, I cannot use it. Here is the output:
>
> C:\Users\David> gpg --import .\kill7827.asc
> gpg: Note: signatures using the MD5 algorithm are rejected
> gpg: key 80942C8D: invalid revocation certificate: Invalid digest
> algorithm - rejected
> gpg: error reading `.\\kill7827.asc': Invalid digest algorithm
> gpg: import from `.\\kill7827.asc' failed: Invalid digest algorithm
> gpg: Total number processed: 0
> C:\Users\David>
You should try adding "--cert-digest-algo sha1" arguments before the
--gen-revoke command to make a SHA1-based certificate revocation.
--dkg
From dkg at fifthhorseman.net Mon Dec 7 09:12:56 2015
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 07 Dec 2015 09:12:56 +0100
Subject: GPA - unsupported certificate
In-Reply-To: <5664D1D7.9050101@gbenet.com>
References: <56633C10.2050203@yandex.ru> <5664D1D7.9050101@gbenet.com>
Message-ID: <87r3iyy8vr.fsf@alice.fifthhorseman.net>
On Mon 2015-12-07 01:24:55 +0100, "david at gbenet.com" wrote:
> The first thing to say is - when installing any Linux distro you need to ensure that the
> distro has installed every software update every security fix first. This is important when
> installing GPA Kleopatra and KGPG.
>
> Every Linux distro has gnupg installed - so at a terminal just type gpg - this will create
> ALL the folders and files needed (.gnupg) it's pointless installing GPA without running gpg
> first - I think it's pretty silly.
hm, i'd say that if gpa knows that gpg needs to be run first, and it
hasn't been run, it should run it on the user's behalf instead of
expecting that they know this bit of esoterica.
Dark Penguin, if you're experiencing problems with GPA integration with
the rest of the OS, I encourage you to report a bug to debian.
On a debian system, you might use the "reportbug" utility to do this.
> Then you may wish to install gpgv2 via the package manager. Only then install GPA Kleopatra
> or KGPG. And only after installing all the updates and security fixes.
If these packages must be installed in a certain order, the package
manager should know about that order. if it does not, this is a bug in
the stated dependencies of the packages in question.
For example, if gpa won't work without the gnupg2 package installed,
but it doesn't state that it explicitly depends on gnupg2, that would be
a bug in gpa.
Regards,
--dkg
From 2014-667rhzu3dc-lists-groups at riseup.net Mon Dec 7 23:13:48 2015
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Mon, 7 Dec 2015 22:13:48 +0000
Subject: [Announce] GnuPG 2.1.10 released
In-Reply-To: <87h9juefnq.fsf@vigenere.g10code.de>
References: <878u5al5w6.fsf@vigenere.g10code.de>
<566683204.20151207000551@my_localhost> <87h9juefnq.fsf@vigenere.g10code.de>
Message-ID: <123391295.20151207221348@my_localhost>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi
On Monday 7 December 2015 at 10:06:49 AM, in
, Werner Koch wrote:
> Have a look into the announcement:
> The source used to build the Windows installer can be
> found in the same directory with a ".tar.xz" suffix.
> This Windows installer is missing translations, it
> has no TOFU support and no HKPS support. However, it
> ^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^ fully supports
> Tor and the Tor browser.
Oops! I missed that bit. Sorry.
> The reason for the missing Tofu support is that we need
> to package Sqlite in a way to make it easy to
> cross-compile for Windows. It is just a bit of work
> but other things have higher priority for now than
> Windows.
Thanks for the explanation.
- --
Best regards
MFPA
Colourless green ideas sleep furiously (Noam Chomsky)
-----BEGIN PGP SIGNATURE-----
iL4EARYKAGYFAlZmBKlfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eORn5QD9EhcV419z4t0hM/I2nfgaeFLf
mfMlkM7qMwCsKp1/FWYA/3ZW/Y3M8gu6NVYGq1/qry2bFaUGHf7+PXyLmLKadqEH
iQF8BAEBCgBmBQJWZgSuXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwqkAIAJEiH684AJNY2phReHsBJ/WH
SfGTFXeqNrvvverpbgb3EaJfvgrZIklI2BykdjT28DCzYC63CW5IizERuIskbZBT
elhzEEtSuQh7twJofaORX9n1vC+rcGyUMUUuUToxGZXsWGXWiVnyUQ8e6LgjGO5Z
jtkuUb/jaBigivnTq2iFgIq0/JToA2ajlxAP/zt+WjIecIF+hznqaqmsPCkIz579
ptxZiQ8Z4wcx/xMj1rNT/t2gw6HstqmUkqNeJWRo/5Pd1JsQJMNy2pcvJABkfa5O
bZDIgojc1h8vgNFPjjihEHmpUokVu1z1pedlOPiSv71vMeon4iFl47FDee1M4D4=
=Es3b
-----END PGP SIGNATURE-----
From 2014-667rhzu3dc-lists-groups at riseup.net Tue Dec 8 00:51:36 2015
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Mon, 7 Dec 2015 23:51:36 +0000
Subject: Error message "gpg: Can't check signature: Broken public key"
Message-ID: <144345553.20151207235136@my_localhost>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
What does the error message "gpg: Can't check signature: Broken public
key" mean?
One of the members of PGPNET reports getting that error
message when verifying the signatures on my signed and encrypted
messages to the group. He gets it for the signatures from my EDDSA subkey
0x1712BC461AF778E4, and says he uses GnuGP 2.1.8.
The only references I can find (eg [0]) say:-
592 GPG_ERR_BROKEN_PUBKEY Broken public key
593
594 The public key was mathematically not correctly generated.
[0]
- --
Best regards
MFPA
Why is the universe here? Well, where else would it be?
-----BEGIN PGP SIGNATURE-----
iL4EARYKAGYFAlZmG4xfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eORUAAD/XZQqwtz7Q1+Lem/ev5EwrE9O
BJCWG/6+dlyAvQSogR0BANsB14r4s6s+Udhd35Zhj/m4q3cOZ84thFqB5hNT3lkK
iQF8BAEBCgBmBQJWZhuZXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwpS0H/ipta+E5Dq7f3+aDnpDbAJJS
4XFUM6tmJY2AdAzRqhxjSsCRmCkyekZX9R9CPGT2RlqYRJfqFLSSODka8VIMA4kk
XYuJo+AK9+LnDSVh0/G4DKjPRb67CZCT9Fx4UH+6uFrtQTsTWcACb2xzQE62fkxr
ntMNwROqo90D4mbEemUTvv33rSl/00KysbJC3eg9ybbIjNpn1hO/VtIAK9ipF3iU
3NPwXHgmJk5sJ6esyS1Eqtm0QkckZa/sHAV1GrRtKC91k9d4/4qzdK96MKkKLbdo
rUClB8SF3YsO1KwxxbOT0RiUUAa5MUMvwm1oPmEKtw9XymImQDZ7IaR3VoE8ko4=
=td+o
-----END PGP SIGNATURE-----
From gniibe at fsij.org Tue Dec 8 09:26:23 2015
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Tue, 08 Dec 2015 17:26:23 +0900
Subject: Error message "gpg: Can't check signature: Broken public key"
In-Reply-To: <144345553.20151207235136@my_localhost>
References: <144345553.20151207235136@my_localhost>
Message-ID: <5666942F.2000404@fsij.org>
On 12/08/2015 08:51 AM, MFPA wrote:
> What does the error message "gpg: Can't check signature: Broken public
> key" mean?
>
> One of the members of PGPNET reports getting that error
> message when verifying the signatures on my signed and encrypted
> messages to the group. He gets it for the signatures from my EDDSA subkey
> 0x1712BC461AF778E4, and says he uses GnuGP 2.1.8.
I don't think that GnuPG frontend or gpg-agent doesn't emit this
error.
It could be libgcrypt which generates this error. EdDSA key is
represented by a point on the Ed25519 curve. When the point is not on
the curve (the key is invalid), it complains by this error.
I validate your e-mail by the key of 0x1712BC461AF778E4 with no error.
So, I don't think there is a problem in your key. The local copy
of your public key in his computer would be a problem.
--
From darkpenguin at yandex.ru Tue Dec 8 00:41:27 2015
From: darkpenguin at yandex.ru (Dark Penguin)
Date: Tue, 08 Dec 2015 02:41:27 +0300
Subject: GPA - import keys more easily?..
Message-ID: <56661927.2000003@yandex.ru>
Is it possible to import public keys into GPA by "opening them with GPA"
instead of using "Keys - Import"?.. That would sure be convenient, but
simply opening an .asc key with GPA did not do that, and I couldn't find
anything mentioning such thing in the man gpa.
If this functionality is indeed not there, may I suggest we file a
"wishlist" bug for this issue?.. It seems quite natural to expect this
kind of thing. If it is there, I suggest we put it into the manual page,
because it's not there.
If it's there in the latest version, do rebuke me, for I am not
upgrading from 0.9.5 (from Debian Jessie repo) to 0.9.9 just to confirm
this behaviour; and I couldn't find a changelog for the last versions
anywhere on the site... It took me quite a while to even find a download
link, even though I do remember that it's hosted on the same site!..
Shouldn't it be put in the "Downloads" section, at least as a short link
in the bottom - "Also, see GPA, which aims to be the default GUI
frontend and is hosted on this site as well"?..
--
darkpenguin
From darkpenguin at yandex.ru Tue Dec 8 00:00:42 2015
From: darkpenguin at yandex.ru (Dark Penguin)
Date: Tue, 08 Dec 2015 02:00:42 +0300
Subject: GPA - unsupported certificate
In-Reply-To: <5665624C.3010501@digitalbrains.com>
References: <56633C10.2050203@yandex.ru> <5664D1D7.9050101@gbenet.com>
<5665624C.3010501@digitalbrains.com>
Message-ID: <56660F9A.6010402@yandex.ru>
I am sure I've installed all updates and security-updates. I wanted to
confirm the existence of another bug, so I've upgraded everything.
Debian has gpg installed by default; I did not run it before installing
GPA - naturally, I would expect GPA to run it itself if it needs it.
Also, in Debian, GPA depends on GPGv2, so it got installed as well. I
believe this means GPA is using GPGv2, but I have no way to confirm it.
I am running MATE, not KDE, as some might have expected (judging by the
abundance of "K"'s in the names "KGPG" and "Kleopatra") or GNOME3
(judging by the mention of "GNOME Keyring"). I don't think I've seen any
mentions of "Kleopatra" in my GPA, either the one from the repo, or the
one from the website...
Erm... sorry, I am still not very good with understanding the bug report
flow; I would have checked the Debian GPA bug page before writing here
if I knew about its existence. ^_^' And yes, here it is, my "Unsupported
certificate" bug!..
Seems like MATE uses GNOME Keyring, too. Unchecking it did not help...
This did: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790737#25
Indeed, this is a problem with GNOME Keyring, though fixing it now
apparently requires more than just disabling the GNOME Keyring; but,
this is a better solution, since you can keep the GNOME Keyring and have
GPA work.
I'm not sure if this idea makes sense, but maybe it would be easy to add
a check on the version of said gpg-agent before attempting to use it?..
On one side, GPA is probably supposed to work with whatever
GPG_AGENT_INFO is set to; on the other side, if all the other software
is fine working with GNOME Keyring and only GPA needs "only its own"
gpg-agent, maybe it would make sense to disregard GPG_AGENT_INFO if it
points to GNOME Keyring one, or maybe even disregard it always, or maybe
even have GPA use another fixed path to always connect to "our"
gpg-agent?.. This is not really "our problem", but a workaround would
probably help...
--
darkpenguin
From peter at digitalbrains.com Tue Dec 8 13:16:29 2015
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 8 Dec 2015 13:16:29 +0100
Subject: GPA - unsupported certificate
In-Reply-To: <56660F9A.6010402@yandex.ru>
References: <56633C10.2050203@yandex.ru> <5664D1D7.9050101@gbenet.com>
<5665624C.3010501@digitalbrains.com> <56660F9A.6010402@yandex.ru>
Message-ID: <5666CA1D.4070206@digitalbrains.com>
On 08/12/15 00:00, Dark Penguin wrote:
> Erm... sorry, I am still not very good with understanding the bug
> report flow; I would have checked the Debian GPA bug page before
> writing here if I knew about its existence. ^_^' And yes, here it is,
> my "Unsupported certificate" bug!..
No problem, it's what mailing lists are for: to give pointers in the
right direction.
> I'm not sure if this idea makes sense, but maybe it would be easy to
> add a check on the version of said gpg-agent before attempting to use
> it?..
I know certain recent versions of GnuPG complain and warn about the
hijacking, but that is during usage on the terminal.
> On one side, GPA is probably supposed to work with whatever
> GPG_AGENT_INFO is set to
No, this variable is part of the internal architecture of GnuPG and
should be set to the gpg-agent that is part of the installed version of
GnuPG. This is why I use the term "hijack", rather than something like
"provide an alternative service". It has never been intended that other
software packages use this variable and start imitating internal parts
of GnuPG.
> on the other side, if all the other software is fine working with
> GNOME Keyring and only GPA needs "only its own" gpg-agent
Again, no. Lots of programs get vague problems. It's just that it used
to be that GNOME Keyring said "those problems are in GnuPG", whereas the
GnuPG project said "those problems are caused by GNOME Keyring breaking
our software". The result is that nobody fixed it. I hope that when
Debian Stretch is released, we can finally put this behind us, as the
problem has been fixed in recent versions that are unfortunately too
recent for Jessie AFAIK.
> maybe it would make sense to disregard GPG_AGENT_INFO if it points to
> GNOME Keyring one, or maybe even disregard it always, or maybe even
> have GPA use another fixed path to always connect to "our"
> gpg-agent?
GnuPG 2.1 already always uses a fixed path and disregards the variable.
And recent GnuPG 2.0 versions already warn about the hijack. The problem
is that two software projects want opposite things; this would lead to
an arms race. But fortunately, it will all go away when distributions
start using recent versions of the software, as the issue has finally
been resolved.
Oh, by the way, the functionality that GNOME Keyring is providing is
that it offers the option of unlocking your GnuPG keys when you log in.
I've never understood why this is so darn important. Without GNOME
Keyring, you would type two passphrases per login session: once to
login, and for the second time when you use your GnuPG key for the first
time. The gpg-agent can then keep the key unlocked for the rest of the
time if you want it to. With GNOME Keyring, it is reduced to one
passphrase: your login passphrase. Some might say that's a 50% gain, I
say it is the smallest possible gain: you gain one less
passphrase-entering moment per session. Whooptie-friggin'-doo. I don't
get it.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
From neal at walfield.org Tue Dec 8 13:27:56 2015
From: neal at walfield.org (Neal H. Walfield)
Date: Tue, 08 Dec 2015 13:27:56 +0100
Subject: GPA - unsupported certificate
In-Reply-To: <5666CA1D.4070206@digitalbrains.com>
References: <56633C10.2050203@yandex.ru> <5664D1D7.9050101@gbenet.com>
<5665624C.3010501@digitalbrains.com> <56660F9A.6010402@yandex.ru>
<5666CA1D.4070206@digitalbrains.com>
Message-ID: <874mft15wz.wl-neal@walfield.org>
On Tue, 08 Dec 2015 13:16:29 +0100,
Peter Lebbing wrote:
> Again, no. Lots of programs get vague problems. It's just that it used
> to be that GNOME Keyring said "those problems are in GnuPG", whereas the
> GnuPG project said "those problems are caused by GNOME Keyring breaking
> our software". The result is that nobody fixed it. I hope that when
> Debian Stretch is released, we can finally put this behind us, as the
> problem has been fixed in recent versions that are unfortunately too
> recent for Jessie AFAIK.
The problem has been fixed in Gnome 3.18 (IIRC) and is already
shipping in the latest version of Fedora, for instance. The fix will
appear in the next Debian version, but the changes are too large for
them to be considered a Jessie point release.
:) Neal
From peter at digitalbrains.com Tue Dec 8 13:46:14 2015
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 8 Dec 2015 13:46:14 +0100
Subject: GPA - unsupported certificate
In-Reply-To: <5666CA1D.4070206@digitalbrains.com>
References: <56633C10.2050203@yandex.ru> <5664D1D7.9050101@gbenet.com>
<5665624C.3010501@digitalbrains.com> <56660F9A.6010402@yandex.ru>
<5666CA1D.4070206@digitalbrains.com>
Message-ID: <5666D116.3050609@digitalbrains.com>
On 08/12/15 13:16, Peter Lebbing wrote:
> The problem
> is that two software projects want opposite things; this would lead to
> an arms race.
What might be a better "fix", IMHO, would be to have GPA also warn about
this, so people know what to do. Perhaps with another environment
variable GPG_NO_WARN_AGENT_HIJACK because GUI's usually warn through
modal dialogs, which gets tiresome quickly when you actually want GNOME
Keyring. That is, if GPA works *at all* with GNOME Keyring; I don't know.
However, looking at the age and number of bugs reported against Debian's
gpa related to this mess, I think the package maintainers don't have a
lot of time to spend on this. So someone would need to champion it all.
Write a complete patch, and campaign for its inclusion in the next
Jessie point release. I don't know if it would work, though. If the GPA
maintainers campaign for its inclusion in a point release, it might
work, but I doubt an outsider could get it done. Note: I'm not a Debian
Developer. I'm just making observations from the outside. I might be
babbling complete gobbledygook (is that how you spell it? :).
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
From 2014-667rhzu3dc-lists-groups at riseup.net Tue Dec 8 23:47:19 2015
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Tue, 8 Dec 2015 22:47:19 +0000
Subject: Error message "gpg: Can't check signature: Broken public key"
In-Reply-To: <5666942F.2000404@fsij.org>
References: <144345553.20151207235136@my_localhost> <5666942F.2000404@fsij.org>
Message-ID: <619034873.20151208224719@my_localhost>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi
On Tuesday 8 December 2015 at 8:26:23 AM, in
, NIIBE Yutaka wrote:
> I don't think that GnuPG frontend or gpg-agent doesn't
> emit this error.
> It could be libgcrypt which generates this error.
It seems to be defined in Libgpg-error, which "defines common error
values for all GnuPG components."
> I validate your e-mail by the key of 0x1712BC461AF778E4
> with no error.
So do I.
> So, I don't think there is a problem in
> your key. The local copy of your public key in his
> computer would be a problem.
I suggested he delete my key and re-import it. He tells me he tried
that twice and it didn't help. It's a mystery to me.
- --
Best regards
MFPA
The man who really wants to do something finds a way,
the other finds an excuse.
-----BEGIN PGP SIGNATURE-----
iL4EARYKAGYFAlZnXgVfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eOSMUwD/TAoSg7DIEsekEyNnuKee3eh+
TUJDOCmpRU29m4i8TFMA/AsPpuDegLO+snCiqxKeIyLUvVMMhWmcnwYM5v9M9IID
iQF8BAEBCgBmBQJWZ14KXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwEagIALJa/sbbSF6MSDNm/EhecLw7
gOBCOX9NCx+phXX4lGFbWGCm97QFp8be3kNFa64cpXKWFc7IoVCXWyS8wlhsH99q
5af9ZLOaV2RfaJEIe8JGErqC8nD8cfCwlUN42JSwzy3OW+3eBVQO0o30UzUygKPp
lYUmz8SUGeFoxnRzRy45gF/eA1ytI1jcT3mqGVyE4+q7TzQk5BrSzyvuKBZL5UNI
Jp1ECj3lyK06PXLJe2vfwoAQcbLNnHe5GD2bjzb9i3pTLsuksMpiUegzVjT1UcFX
rzqNsvqceCHIxlshaACFVXvOTxAaCGGd73MEq7zIMU8QBU1SSLgYgmh7ZZKiiCs=
=3cNb
-----END PGP SIGNATURE-----
From brad at fineby.me.uk Wed Dec 9 00:24:36 2015
From: brad at fineby.me.uk (Brad Rogers)
Date: Tue, 8 Dec 2015 23:24:36 +0000
Subject: Error message "gpg: Can't check signature: Broken public key"
In-Reply-To: <619034873.20151208224719@my_localhost>
References: <144345553.20151207235136@my_localhost> <5666942F.2000404@fsij.org>
<619034873.20151208224719@my_localhost>
Message-ID: <20151208232436.72780e07@abydos.stargate.org.uk>
On Tue, 8 Dec 2015 22:47:19 +0000
MFPA <2014-667rhzu3dc-lists-groups at riseup.net> wrote:
Hello MFPA,
>I suggested he delete my key and re-import it. He tells me he tried
>that twice and it didn't help. It's a mystery to me.
It's the same for me; A re-import of your key still results in an
error(1). I've checked some (locally) archived emails from you
(received via this list) and they verify fine. Obviously, something's
changed, but IDK what. Whatever the change, it occurred between 15 Nov
and 7 Dec. I have a message from the earlier date that verifies and a
message from the latter date that doesn't. Consequently, I believe the
issue is something other than your keyfile.
If it helps, I use a self-compiled (from GIT) Claws Mail as my MUA.
(1) Different error message "The signature can't be checked - End of
file."
--
Regards _
/ ) "The blindingly obvious is
/ _)rad never immediately apparent"
Gary don't need his eyes to see. Gary and his eyes have parted company
Gary Gilmore's Eyes - The Adverts
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL:
From darkpenguin at yandex.ru Wed Dec 9 19:11:59 2015
From: darkpenguin at yandex.ru (Dark Penguin)
Date: Wed, 09 Dec 2015 21:11:59 +0300
Subject: GPA - import keys more easily?..
In-Reply-To: <56676FC5.9010805@gbenet.com>
References: <56661927.2000003@yandex.ru> <56676FC5.9010805@gbenet.com>
Message-ID: <56686EEF.80109@yandex.ru>
> You can import keys (1) direct from personal contact - people give you the key id and you
> can download from a key server - most people upload their public key to a key server (2) you
> can get keys when people have included their public key as an attachment in an email. If you
> have installed Thunderbird - you could install Enigmail - you can do all the things with
> that that GPA does.
Of course, I could use other software if I don't like this one, but the
question is "wouldn't it be convenient to add a simple commandline
option to GPA to import a key". It's not that big of a deal, but the
idea is so obvious I'm really surprised it's not there yet.
It's not about GNOME Keyring; it's just that I've been using GnuPG and
GPA since Squeeze, and I would really like to be able to add public keys
by just "opening" them from anywhere, not only from a Thunderbird mail
attachment, and with GPA, not with something else.
I just don't want to submit a "wishlist" bug report without consulting
the users first - maybe it's already there in the newer versions?.. The
developers seem to be really busy...
--
darkpenguin
From darkpenguin at yandex.ru Wed Dec 9 18:57:04 2015
From: darkpenguin at yandex.ru (Dark Penguin)
Date: Wed, 09 Dec 2015 20:57:04 +0300
Subject: GPA - unsupported certificate
In-Reply-To: <5666CA1D.4070206@digitalbrains.com>
References: <56633C10.2050203@yandex.ru> <5664D1D7.9050101@gbenet.com>
<5665624C.3010501@digitalbrains.com> <56660F9A.6010402@yandex.ru>
<5666CA1D.4070206@digitalbrains.com>
Message-ID: <56686B70.1020605@yandex.ru>
>> I'm not sure if this idea makes sense, but maybe it would be easy to
>> add a check on the version of said gpg-agent before attempting to use
>> it?..
>
> I know certain recent versions of GnuPG complain and warn about the
> hijacking, but that is during usage on the terminal.
Then this should definitely alert GPA to forward the warning to the
user! It's already there, but GPA is ignoring this?.. (I don't have a
"recent" version of GnuPG, so I can't be sure this is not already done.)
>> maybe it would make sense to disregard GPG_AGENT_INFO if it points to
>> GNOME Keyring one, or maybe even disregard it always, or maybe even
>> have GPA use another fixed path to always connect to "our"
>> gpg-agent?
>
> GnuPG 2.1 already always uses a fixed path and disregards the variable.
> And recent GnuPG 2.0 versions already warn about the hijack. The problem
> is that two software projects want opposite things; this would lead to
> an arms race. But fortunately, it will all go away when distributions
> start using recent versions of the software, as the issue has finally
> been resolved.
Ok, so now it's only a question of GPA and GnuPG 2.1 being backported to
Jessie. That's good to know.
> Oh, by the way, the functionality that GNOME Keyring is providing is
> that it offers the option of unlocking your GnuPG keys when you log in.
> I've never understood why this is so darn important. Without GNOME
> Keyring, you would type two passphrases per login session: once to
> login, and for the second time when you use your GnuPG key for the first
> time. The gpg-agent can then keep the key unlocked for the rest of the
> time if you want it to. With GNOME Keyring, it is reduced to one
> passphrase: your login passphrase. Some might say that's a 50% gain, I
> say it is the smallest possible gain: you gain one less
> passphrase-entering moment per session. Whooptie-friggin'-doo. I don't
> get it.
I just wanted to say that "the GNOME guys must have some reason to do
that, though I seriously doubt their reasoning since GNOME3". Now I see
I was actually right. %)
--
darkpenguin
From gnupg at raf.org Wed Dec 9 21:34:41 2015
From: gnupg at raf.org (gnupg at raf.org)
Date: Thu, 10 Dec 2015 07:34:41 +1100
Subject: GPA - unsupported certificate
In-Reply-To: <56686B70.1020605@yandex.ru>
References: <56633C10.2050203@yandex.ru> <5664D1D7.9050101@gbenet.com>
<5665624C.3010501@digitalbrains.com> <56660F9A.6010402@yandex.ru>
<5666CA1D.4070206@digitalbrains.com> <56686B70.1020605@yandex.ru>
Message-ID: <20151209203441.GA13859@raf.org>
Dark Penguin wrote:
> > > maybe it would make sense to disregard GPG_AGENT_INFO if it points to
> > > GNOME Keyring one, or maybe even disregard it always, or maybe even
> > > have GPA use another fixed path to always connect to "our"
> > > gpg-agent?
> >
> > GnuPG 2.1 already always uses a fixed path and disregards the variable.
> > And recent GnuPG 2.0 versions already warn about the hijack. The problem
> > is that two software projects want opposite things; this would lead to
> > an arms race. But fortunately, it will all go away when distributions
> > start using recent versions of the software, as the issue has finally
> > been resolved.
>
> Ok, so now it's only a question of GPA and GnuPG 2.1 being backported to
> Jessie. That's good to know.
Does this mean that gpg-agent's --write-env-file option has
also been removed in 2.1? I'm relying on that and had better
be paying attention when gpg gets upgraded on my systems so
I can change my scripts to keep them working.
cheers,
raf
From rejo at zenger.nl Wed Dec 9 21:00:39 2015
From: rejo at zenger.nl (Rejo Zenger)
Date: Wed, 9 Dec 2015 21:00:39 +0100
Subject: cache gpg passphrase for mutt on os x
Message-ID: <20151209200039.GH7277@ix.home>
Hi,
I am running OS X 10.11.1 (and on another the latest version), in
combination with compiled-from-source mutt 1.5.23hg, and gpg 2.0.29 and
gpg-agent 2.0.29 (the latter two via Homebrew).
This all works fine, but one thing: caching of passphrase for, for
example, ten minutes. As I understand it, this is a problem with the
session mutt runs in: each new mutt decryption and signing operation
runs in a new session and hence can't access the previous' one.
Probably, I can work around this, but to avoid spending hours of
searching for a good solution: has anyone else done this before?
--
Rejo Zenger
E rejo at zenger.nl | P +31(0)639642738 | W https://rejo.zenger.nl
T @rejozenger | J rejo at zenger.nl
OpenPGP 1FBF 7B37 6537 68B1 2532 A4CB 0994 0946 21DB EFD4
XMPP OTR 271A 9186 AFBC 8124 18CF 4BE2 E000 E708 F811 5ACF
Signal 0507 A41B F4D6 5DB4 937D E8A1 29B6 AAA6 524F B68B
93D4 4C6E 8BAB 7C9E 17C9 FB28 03
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: not available
URL:
From andrey.od.utkin at gmail.com Wed Dec 9 23:05:58 2015
From: andrey.od.utkin at gmail.com (Andrey Utkin)
Date: Thu, 10 Dec 2015 00:05:58 +0200
Subject: Please consider joining Bountysource Salt to collect recurring
donations
Message-ID: <5668A5C6.10603@gmail.com>
This request targets GnuPG maintainers to register a team on that
(and/or others, e.g. Gratipay) croudfunding platform.
GnuPG users are welcome to comment whether they would support such
opportunity.
Occasional GnuPG contributors are welcome to comment whether they would
like to become "bounty hunters" (an opportunity on subj site).
I am not affiliated to these platforms.
--
OpenPGP usage is appreciated (it also helps your letter to bypass spam
filters). To email me with encryption easily, go
https://encrypt.to/0xC6FCDB11
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL:
From rjh at sixdemonbag.org Thu Dec 10 00:29:34 2015
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 9 Dec 2015 18:29:34 -0500
Subject: Please consider joining Bountysource Salt to collect recurring
donations
In-Reply-To: <5668A5C6.10603@gmail.com>
References: <5668A5C6.10603@gmail.com>
Message-ID: <5668B95E.3000709@sixdemonbag.org>
> This request targets GnuPG maintainers to register a team on that
> (and/or others, e.g. Gratipay) croudfunding platform.
Is there some problem with the existing donation system? If there's a
problem then let's fix it, but I'm not sure it's a good idea to change
something that works.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1016 bytes
Desc: OpenPGP digital signature
URL:
From 2014-667rhzu3dc-lists-groups at riseup.net Thu Dec 10 01:50:23 2015
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Thu, 10 Dec 2015 00:50:23 +0000
Subject: Error message "gpg: Can't check signature: Broken public key"
In-Reply-To: <20151208232436.72780e07@abydos.stargate.org.uk>
References: <144345553.20151207235136@my_localhost>
<5666942F.2000404@fsij.org> <619034873.20151208224719@my_localhost>
<20151208232436.72780e07@abydos.stargate.org.uk>
Message-ID: <541836753.20151210005023@my_localhost>
Hi
On Tuesday 8 December 2015 at 11:24:36 PM, in
, Brad Rogers
wrote:
> It's the same for me; A re-import of your key still
> results in an error(1).
Which GnuPG version are you using?
> I've checked some (locally)
> archived emails from you (received via this list) and
> they verify fine. Obviously, something's changed, but
> IDK what. Whatever the change, it occurred between 15
> Nov and 7 Dec. I have a message from the earlier date
> that verifies and a message from the latter date that
> doesn't. Consequently, I believe the issue is
> something other than your keyfile.
I have two "local-user" lines in my gpg.conf file, 0x1712BC461AF778E4!
and 0x6B7C74CEB31F25F0!. The aim is a signature from EDDSA subkey
0x1712BC461AF778E4, but also a signature from my RSA subkey
0x6B7C74CEB31F25F0 that can be verified by GnuPG 1.4 or 2.0 versions.
On 6th December I switched the order of these lines, so that the RSA
signature comes last. An Enigmail and GnuPG 2.0 user told me he was
not seeing the "good" signature from 0x6B7C74CEB31F25F0. It appears
that if there are multiple signatures present, Enigmail only passes on
the GnuPG output for the last one.
> If it helps, I use a self-compiled (from GIT) Claws
> Mail as my MUA.
Maybe if there are multiple signatures present, your MUA only
passes on the GnuPG output for the first one? I just switched them back
round to see what happens.
> (1) Different error message "The signature can't be
> checked - End of file."
--
Best regards
MFPA
To steal ideas from one person is plagiarism;
to steal from many is research.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 841 bytes
Desc: not available
URL:
From andrey.od.utkin at gmail.com Thu Dec 10 02:22:58 2015
From: andrey.od.utkin at gmail.com (Andrey Utkin)
Date: Thu, 10 Dec 2015 03:22:58 +0200
Subject: Please consider joining Bountysource Salt to collect recurring
donations
In-Reply-To: <5668B95E.3000709@sixdemonbag.org>
References: <5668A5C6.10603@gmail.com> <5668B95E.3000709@sixdemonbag.org>
Message-ID: <5668D3F2.2070600@gmail.com>
On 10.12.2015 01:29, Robert J. Hansen wrote:
>> This request targets GnuPG maintainers to register a team on that
>> (and/or others, e.g. Gratipay) croudfunding platform.
>
> Is there some problem with the existing donation system? If there's a
> problem then let's fix it, but I'm not sure it's a good idea to change
> something that works.
Wow, actual Donate page turned out to be a secret area, not obvious to
get to it (it looks like a menu header, not a menu entry).
Without regard to that:
- subj enables recurring donations (personally I am not willing to make
large one-time transcation),
- subj is a place where people eager to give go to find whom to give,
- subj is new, it gains popularity and gets people attention, so
somebody would consider GnuPG when reviewing projects available for funding.
--
OpenPGP usage is appreciated (it also helps your letter to bypass spam
filters). To email me with encryption easily, go
https://encrypt.to/0xC6FCDB11
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL:
From mail at tankredhase.de Thu Dec 10 07:28:34 2015
From: mail at tankredhase.de (Tankred Hase)
Date: Thu, 10 Dec 2015 13:28:34 +0700
Subject: CORS requests not working in SKS 1.1.5
Message-ID:
Hey,
Tankred from OpenPGP.js / Whiteout.io here. I?m currently testing HTTP CORS request to SKS via JS in the browser after having read the announcement on v1.1.5 (https://lists.gnupg.org/pipermail/gnupg-users/2014-May/049682.html). Unfortunately I?m getting a 502 (Bad Gateway) response. Upon further analysis I saw that only the following header is set:
The Access-Control-Allow-Origin: *
Tested using: https://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&search=safewithme.testuser%40gmail.com
This is indeed a requirement for CORS requests, but not sufficient. Without the following headers, CORS requests from the Browser will fail as an OPTIONS preflight check is required:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
'Access-Control-Allow-Headers?: Content-Type
You can test how it should look here: https://keys.whiteout.io/safewithme.testuser at gmail.com
Would it be possible to add the headers? It would allow me the remove the need for our proprietary key server proxy and send requests directly to SKS server from the web. Thanks!
Tankred
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
From peter at digitalbrains.com Thu Dec 10 11:46:42 2015
From: peter at digitalbrains.com (Peter Lebbing)
Date: Thu, 10 Dec 2015 11:46:42 +0100
Subject: GPA - import keys more easily?..
In-Reply-To: <56686EEF.80109@yandex.ru>
References: <56661927.2000003@yandex.ru> <56676FC5.9010805@gbenet.com>
<56686EEF.80109@yandex.ru>
Message-ID: <56695812.3020003@digitalbrains.com>
On 09/12/15 19:11, Dark Penguin wrote:
> Of course, I could use other software if I don't like this one, but the question
> is "wouldn't it be convenient to add a simple commandline option to GPA to
> import a key".
For commandline usage, you can simply use GnuPG directly:
$ gpg2 --import pubkey.asc
GPA is a GUI frontend to GnuPG. Commandline support is already in GnuPG and
doesn't need to be in a GUI frontend.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
From peter at digitalbrains.com Thu Dec 10 11:49:24 2015
From: peter at digitalbrains.com (Peter Lebbing)
Date: Thu, 10 Dec 2015 11:49:24 +0100
Subject: cache gpg passphrase for mutt on os x
In-Reply-To: <20151209200039.GH7277@ix.home>
References: <20151209200039.GH7277@ix.home>
Message-ID: <566958B4.6050201@digitalbrains.com>
On 09/12/15 21:00, Rejo Zenger wrote:
> As I understand it, this is a problem with the session mutt runs in: each
> new mutt decryption and signing operation runs in a new session and hence
> can't access the previous' one.
>
> Probably, I can work around this, but to avoid spending hours of searching
> for a good solution: has anyone else done this before?
Sounds like GPG_AGENT_INFO is not set in that session, and hence cannot access
the already running agent that has the passphrase cached.
Other than that hint, I can't help you. I have no experience with Mac OS or mutt.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
From brad at fineby.me.uk Thu Dec 10 10:46:31 2015
From: brad at fineby.me.uk (Brad Rogers)
Date: Thu, 10 Dec 2015 09:46:31 +0000
Subject: Error message "gpg: Can't check signature: Broken public key"
In-Reply-To: <541836753.20151210005023@my_localhost>
References: <144345553.20151207235136@my_localhost> <5666942F.2000404@fsij.org>
<619034873.20151208224719@my_localhost>
<20151208232436.72780e07@abydos.stargate.org.uk>
<541836753.20151210005023@my_localhost>
Message-ID: <20151210094631.4bd7fbd9@abydos.stargate.org.uk>
On Thu, 10 Dec 2015 00:50:23 +0000
MFPA <2014-667rhzu3dc-lists-groups at riseup.net> wrote:
Hello MFPA,
>Which GnuPG version are you using?
Damn; I always forget some vital bit of info....
GnuPG v1.4.19
>Maybe if there are multiple signatures present, your MUA only
>passes on the GnuPG output for the first one? I just switched them back
No idea, TBH - I don't understand coding well enough to figure it out.
I'll ask on the CM list and see what they say.
>round to see what happens.
This message validated correctly. There's also one other difference;
The signature is no longer inline, but attached. Not that I expect that
is relevant.
--
Regards _
/ ) "The blindingly obvious is
/ _)rad never immediately apparent"
You never listen to a word that I said
Public Image - Public Image Ltd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL:
From philip.jackson at nordnet.fr Thu Dec 10 14:05:15 2015
From: philip.jackson at nordnet.fr (Philip Jackson)
Date: Thu, 10 Dec 2015 14:05:15 +0100
Subject: Error message "gpg: Can't check signature: Broken public key"
In-Reply-To: <541836753.20151210005023@my_localhost>
References: <144345553.20151207235136@my_localhost>
<5666942F.2000404@fsij.org> <619034873.20151208224719@my_localhost>
<20151208232436.72780e07@abydos.stargate.org.uk>
<541836753.20151210005023@my_localhost>
Message-ID: <5669788B.6010406@nordnet.fr>
On 10/12/15 01:50, MFPA wrote:
> On 6th December I switched the order of these lines, so that the RSA
> signature comes last. An Enigmail and GnuPG 2.0 user told me he was
> not seeing the "good" signature from 0x6B7C74CEB31F25F0. It appears
> that if there are multiple signatures present, Enigmail only passes on
> the GnuPG output for the last one.
I'm using gpg2.0.22 on my desktop and I can never verify your emails
(MFPA) - I always get from enigmail :
"Unverified signature; the key type is not supported by your version of
GnuPG"
"Unverified signature
UNTRUSTED BAD signature from 2014-667rhzu3dc-lists-groups at riseup.net
<2014-667rhzu3dc-lists-groups at riseup.net>"
Which is normal for an ECC key.
On my laptop, with Debian Jessie and gpg2.1.7, the signature verifies
ok. Again normal for 2.1.x
Philip
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL:
From rjh at sixdemonbag.org Thu Dec 10 17:33:44 2015
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 10 Dec 2015 11:33:44 -0500
Subject: Please consider joining Bountysource Salt to collect recurring
donations
In-Reply-To: <5668D3F2.2070600@gmail.com>
References: <5668A5C6.10603@gmail.com> <5668B95E.3000709@sixdemonbag.org>
<5668D3F2.2070600@gmail.com>
Message-ID: <5669A968.2090108@sixdemonbag.org>
> Wow, actual Donate page turned out to be a secret area, not obvious to
> get to it (it looks like a menu header, not a menu entry).
Then that's a problem we should look into, and thanks for telling us
about it. :)
> - subj enables recurring donations (personally I am not willing to make
> large one-time transcation),
Recurring donations would be a nice feature. We should look into this.
> - subj is a place where people eager to give go to find whom to give,
See my next remark.
> - subj is new, it gains popularity and gets people attention, so
> somebody would consider GnuPG when reviewing projects available for funding.
You just said it's a place where people eager to give go to find whom to
give... but now you're saying that it's new. If it's new, that means
they're still beginning to attract users and build their own reputation.
So which is it? Is it a place with a lot of users and a reputation for
being a place where people looking to give can find worthy projects, or
is it just starting out and needs to gain popularity?
From rjh at sixdemonbag.org Thu Dec 10 17:49:09 2015
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 10 Dec 2015 11:49:09 -0500
Subject: Please consider joining Bountysource Salt to collect recurring
donations
In-Reply-To: <5669A968.2090108@sixdemonbag.org>
References: <5668A5C6.10603@gmail.com> <5668B95E.3000709@sixdemonbag.org>
<5668D3F2.2070600@gmail.com> <5669A968.2090108@sixdemonbag.org>
Message-ID: <5669AD05.8020009@sixdemonbag.org>
> You just said it's a place where people eager to give go to find whom to
> give... but now you're saying that it's new. If it's new, that means
> they're still beginning to attract users and build their own reputation.
> So which is it? Is it a place with a lot of users and a reputation for
> being a place where people looking to give can find worthy projects, or
> is it just starting out and needs to gain popularity?
On a lark, I checked out Bountysource Salt.
Here's their C++ projects you can support:
Tiled: $1027 pledged this month
ZNC: $0 this month
TrinityCore: $0 this month
Gammu: $0 this month
Arduino: $0 this month
NetMauMau: $0 this month
MineTest: $0 this month
NLUlite: $0 this month
KDevelop: $0 this month
VX68K.org: $0 this month
Checking their Python project offerings:
urllib3: $0 this month
aspidites: $0 this month
Checking their GTK+ project offerings:
Elementary: $302 last month
XFCE: $118 last month
Antergos: $21 this month
FeedReader: $2 this month
GNOME: $0 this month
Switchboard: $0 this month
Midori Browser: $0 this month
Scratch: $0 this month
Pantheon Photos: $0 this month
Maya: $0 this month
Slingshot: $0 this month
Noise: $0 this month
Granite: $0 this month
WingPanel: $0 this month
Numix: $0 this month
Pragha Music Player: $0 this month
Ozon OS: $0 this month
Solus-project: $0 this month
... So, yeah. I'm thinking this is not a credible source for
fundraising. Arduino and GNOME, projects with *far* greater visibility,
get $0 a month from Bountysource. I find it hard to believe we'd do
much better.
I think this is something best avoided.
From wk at gnupg.org Thu Dec 10 20:53:05 2015
From: wk at gnupg.org (Werner Koch)
Date: Thu, 10 Dec 2015 20:53:05 +0100
Subject: Please consider joining Bountysource Salt to collect recurring
donations
In-Reply-To: <5668D3F2.2070600@gmail.com> (Andrey Utkin's message of "Thu, 10
Dec 2015 03:22:58 +0200")
References: <5668A5C6.10603@gmail.com> <5668B95E.3000709@sixdemonbag.org>
<5668D3F2.2070600@gmail.com>
Message-ID: <871tauf5cu.fsf@vigenere.g10code.de>
On Thu, 10 Dec 2015 02:22, andrey.od.utkin at gmail.com said:
> Wow, actual Donate page turned out to be a secret area, not obvious to
> get to it (it looks like a menu header, not a menu entry).
Thanks for telling. This is the first time I heard about this but I can
imagine the problem. I just modified it to put an submenu item as an
alias there. Is that better?
> - subj enables recurring donations (personally I am not willing to make
> large one-time transcation),
I know. It is quite some work to do that properly because it needs some
kind of account manegment to match the donations with the donor.
However, most people in Europe have an easy way to do this by using SEPA
transfers and standing orders.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From darkpenguin at yandex.ru Thu Dec 10 21:00:22 2015
From: darkpenguin at yandex.ru (Dark Penguin)
Date: Thu, 10 Dec 2015 23:00:22 +0300
Subject: GPA - import keys more easily?..
In-Reply-To: <56695812.3020003@digitalbrains.com>
References: <56661927.2000003@yandex.ru> <56676FC5.9010805@gbenet.com>
<56686EEF.80109@yandex.ru> <56695812.3020003@digitalbrains.com>
Message-ID: <5669D9D6.4020007@yandex.ru>
>> Of course, I could use other software if I don't like this one, but the question
>> is "wouldn't it be convenient to add a simple commandline option to GPA to
>> import a key".
>
> For commandline usage, you can simply use GnuPG directly:
>
> $ gpg2 --import pubkey.asc
>
> GPA is a GUI frontend to GnuPG. Commandline support is already in GnuPG and
> doesn't need to be in a GUI frontend.
I could do that, but I believe for most users it would be much more
convenient to see a graphical window of a familiar program with the
user's name and email address and a confirmation dialog, instead of
seeing a terminal saying "I've already imported it" (or not even seeing
it, because I think it would normally close immediately after the
program has finished running).
I know how keys work; I've been using it at work for a long time. And I
usually import the keys from email attachments, which I know are
correct, because I've helped them set up PGP and I've created their
email account. I just want to be able to have them imported with simply
opening them with GPA and not have to save them somewhere, then look for
them in the "Import keys..." dialog, and then delete them.
I've submitted this along with other bugs and wishlist items to
gnupg-devel, but it seems that those have not yet been approved by the
moderator (though almost a week has passed since the first report). I
wanted to hear what do they have to say before creating the bug reports,
but now I've submitted all of the "bugs" I wanted to report on
bugs.gnupg.org (issues 2178, 2179, and this one - 2180).
--
darkpenguin
From mail at tankredhase.de Fri Dec 11 05:08:11 2015
From: mail at tankredhase.de (Tankred Hase)
Date: Fri, 11 Dec 2015 11:08:11 +0700
Subject: CORS requests not working in SKS 1.1.5
In-Reply-To:
References:
Message-ID: <1AC193EE-F3EE-4ACF-BBE0-4A8E06DD8F46@tankredhase.de>
It seems I just some connection problems yesterday that caused the 502. Thanks to Daniel Roesler to providing help. I?ve implemented initial HKP support to OpenPGP.js. Comments welcome:
https://github.com/openpgpjs/openpgpjs/pull/380
Thanks!
Tankred
> Am 10.12.2015 um 13:28 schrieb Tankred Hase :
>
> Hey,
>
> Tankred from OpenPGP.js / Whiteout.io here. I?m currently testing HTTP CORS request to SKS via JS in the browser after having read the announcement on v1.1.5 (https://lists.gnupg.org/pipermail/gnupg-users/2014-May/049682.html). Unfortunately I?m getting a 502 (Bad Gateway) response. Upon further analysis I saw that only the following header is set:
>
> The Access-Control-Allow-Origin: *
>
> Tested using: https://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&search=safewithme.testuser%40gmail.com
>
> This is indeed a requirement for CORS requests, but not sufficient. Without the following headers, CORS requests from the Browser will fail as an OPTIONS preflight check is required:
>
> Access-Control-Allow-Origin: *
> Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
> 'Access-Control-Allow-Headers?: Content-Type
>
> You can test how it should look here: https://keys.whiteout.io/safewithme.testuser at gmail.com
>
> Would it be possible to add the headers? It would allow me the remove the need for our proprietary key server proxy and send requests directly to SKS server from the web. Thanks!
>
> Tankred
From peter at digitalbrains.com Fri Dec 11 10:40:45 2015
From: peter at digitalbrains.com (Peter Lebbing)
Date: Fri, 11 Dec 2015 10:40:45 +0100
Subject: Please consider joining Bountysource Salt to collect recurring
donations
In-Reply-To: <871tauf5cu.fsf@vigenere.g10code.de>
References: <5668A5C6.10603@gmail.com> <5668B95E.3000709@sixdemonbag.org>
<5668D3F2.2070600@gmail.com> <871tauf5cu.fsf@vigenere.g10code.de>
Message-ID: <566A9A1D.4030600@digitalbrains.com>
On 10/12/15 20:53, Werner Koch wrote:
> I just modified it to put an submenu item as an alias there. Is that
> better?
While I think it's a good idea to include an alias, I think you should
do that consistently for all the menus, otherwise "Documentation" and
"Related software" are going to end up even more hidden ;).
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
From peter at digitalbrains.com Fri Dec 11 10:49:39 2015
From: peter at digitalbrains.com (Peter Lebbing)
Date: Fri, 11 Dec 2015 10:49:39 +0100
Subject: GPA - import keys more easily?..
In-Reply-To: <5669D9D6.4020007@yandex.ru>
References: <56661927.2000003@yandex.ru> <56676FC5.9010805@gbenet.com>
<56686EEF.80109@yandex.ru> <56695812.3020003@digitalbrains.com>
<5669D9D6.4020007@yandex.ru>
Message-ID: <566A9C33.5040809@digitalbrains.com>
On 10/12/15 21:00, Dark Penguin wrote:
> (or not even seeing it, because I think it would normally close
> immediately after the program has finished running).
Oh, okay, I misunderstood your request. I thought you wanted to invoke
GPA from the command line, since you called it a command line option.
But I suppose you want a file association so GPA is launched on an .asc
or .gpg file, and subsequently takes the most logical action for the
actual content of the file (show key info with an option to import for
keys, decrypt and verify for encrypted/signed data).
Cheers,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
From peter at digitalbrains.com Fri Dec 11 10:55:20 2015
From: peter at digitalbrains.com (Peter Lebbing)
Date: Fri, 11 Dec 2015 10:55:20 +0100
Subject: GPA - import keys more easily?..
In-Reply-To: <5669D9D6.4020007@yandex.ru>
References: <56661927.2000003@yandex.ru> <56676FC5.9010805@gbenet.com>
<56686EEF.80109@yandex.ru> <56695812.3020003@digitalbrains.com>
<5669D9D6.4020007@yandex.ru>
Message-ID: <566A9D88.3080708@digitalbrains.com>
On 10/12/15 21:00, Dark Penguin wrote:
> And I usually import the keys from email attachments, which I know
> are correct, because I've helped them set up PGP and I've created
> their email account. I just want to be able to have them imported
> with simply opening them with GPA and not have to save them
> somewhere, then look for them in the "Import keys..." dialog, and
> then delete them.
Since I'm constantly making wrong assumptions on implied contexts here,
just let me make this explicit: we are talking about e-mail clients for
which no OpenPGP plugins/extensions/etc. exist, like webmail and such,
right? Because I just have Enigmail handling keys in e-mail, in my
Icedove (Thunderbird).
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
From andrey.od.utkin at gmail.com Fri Dec 11 14:51:49 2015
From: andrey.od.utkin at gmail.com (Andrey Utkin)
Date: Fri, 11 Dec 2015 15:51:49 +0200
Subject: Please consider joining Bountysource Salt to collect recurring
donations
In-Reply-To: <5669AD05.8020009@sixdemonbag.org>
References: <5668A5C6.10603@gmail.com> <5668B95E.3000709@sixdemonbag.org>
<5668D3F2.2070600@gmail.com> <5669A968.2090108@sixdemonbag.org>
<5669AD05.8020009@sixdemonbag.org>
Message-ID: <566AD4F5.5090500@gmail.com>
On 10.12.2015 18:49, Robert J. Hansen wrote:
> ... So, yeah. I'm thinking this is not a credible source for
> fundraising. Arduino and GNOME, projects with *far* greater visibility,
> get $0 a month from Bountysource. I find it hard to believe we'd do
> much better.
>
> I think this is something best avoided.
>
The Salt project has released this spring or this autumn, I don't
remember for sure.
There's competing project Gratipay (former Gittip, rebranded recently),
and some more, so there's also a fragmentation.
Yes you are right that these platforms (and recurring donation to FOSS
projects in general) is far from being as popular as it should be. But
basically this is a network, and the value of network is bound to number
of members in it. If nobody is in, nobody considers joining worth. The
more time passes, the more projects and backers join and the more is
money flow.
I was surprised to become first backer of FFmpeg project, which was
already set up :)
Also I am not aware how much hassle is it for you to set up your
donation-collecting account on these networks, but I hope it's not that
painful.
Werner, Donate menu entry got better, but there's another issue - when
cursor pointer moves from menu header down to menu entries, menu
dropdown tends to disappear, it takes many attempts to catch it :)
Thanks for all the comments.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL:
From wk at gnupg.org Fri Dec 11 18:57:24 2015
From: wk at gnupg.org (Werner Koch)
Date: Fri, 11 Dec 2015 18:57:24 +0100
Subject: Please consider joining Bountysource Salt to collect recurring
donations
In-Reply-To: <566A9A1D.4030600@digitalbrains.com> (Peter Lebbing's message of
"Fri, 11 Dec 2015 10:40:45 +0100")
References: <5668A5C6.10603@gmail.com> <5668B95E.3000709@sixdemonbag.org>
<5668D3F2.2070600@gmail.com> <871tauf5cu.fsf@vigenere.g10code.de>
<566A9A1D.4030600@digitalbrains.com>
Message-ID: <877fkkdg1n.fsf@vigenere.g10code.de>
On Fri, 11 Dec 2015 10:40, peter at digitalbrains.com said:
> While I think it's a good idea to include an alias, I think you should
> do that consistently for all the menus, otherwise "Documentation" and
> "Related software" are going to end up even more hidden ;).
Frankly, I think we should change the style of the menu again because
we now have two identical entries in the sub-menu.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From darkpenguin at yandex.ru Fri Dec 11 16:28:13 2015
From: darkpenguin at yandex.ru (Dark Penguin)
Date: Fri, 11 Dec 2015 18:28:13 +0300
Subject: GPA - import keys more easily?..
In-Reply-To: <566A9C33.5040809@digitalbrains.com>
References: <56661927.2000003@yandex.ru> <56676FC5.9010805@gbenet.com>
<56686EEF.80109@yandex.ru> <56695812.3020003@digitalbrains.com>
<5669D9D6.4020007@yandex.ru> <566A9C33.5040809@digitalbrains.com>
Message-ID: <566AEB8D.1050606@yandex.ru>
>> (or not even seeing it, because I think it would normally close
>> immediately after the program has finished running).
>
> Oh, okay, I misunderstood your request. I thought you wanted to invoke
> GPA from the command line, since you called it a command line option.
>
> But I suppose you want a file association so GPA is launched on an .asc
> or .gpg file, and subsequently takes the most logical action for the
> actual content of the file (show key info with an option to import for
> keys, decrypt and verify for encrypted/signed data).
Yes; I can set up a file association myself, but when I open someone's
.asc public key in GPA, I see a "File manager" window with an option to
decrypt it, which doesn't make sense. I want either GPA to automatically
understand that this is a public key (which is not hard at all, because
there is the PGP header written in plaintext), or at least to be able to
open keys with GPA with some option to tell it that this is a key, not
an encrypted message, if it can not see that without my help - maybe
with a commandline option. Or at the very least, they should just add an
"Import key" option in that file manager for such cases - that would
also be fine by me. I just want to be able to import a key I'm already
looking at without having to look for it again in the "Import key..."
dialog.
There may be "workarounds" like installing some plugins for some mail
clients, but I'm happy with GPA, and I want to use GPA, and installing a
plugin (and probably switching to a compatible email client) and setting
it up and getting used to it just to be able import keys a couple of
seconds quicker does not really make sense.
PGP for Windows does that from time immemorial, naturally. I would
expect at least this much from a frontend for encryption software for an
operating system which, unlike Windows, is actually concerned about
security, and I believe our new "converts" from Windows would expect it
too, and I can't believe it's still not there by now. =/
--
darkpenguin
From 2014-667rhzu3dc-lists-groups at riseup.net Fri Dec 11 22:35:56 2015
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Fri, 11 Dec 2015 21:35:56 +0000
Subject: Error message "gpg: Can't check signature: Broken public key"
In-Reply-To: <20151210094631.4bd7fbd9@abydos.stargate.org.uk>
References: <144345553.20151207235136@my_localhost>
<5666942F.2000404@fsij.org> <619034873.20151208224719@my_localhost>
<20151208232436.72780e07@abydos.stargate.org.uk>
<541836753.20151210005023@my_localhost>
<20151210094631.4bd7fbd9@abydos.stargate.org.uk>
Message-ID: <1662083054.20151211213556@my_localhost>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi
On Thursday 10 December 2015 at 9:46:31 AM, in
, Brad Rogers
wrote:
> GnuPG v1.4.19
1.4.x should verify the signature from my RSA subkey but report "Can't
check signature: unknown pubkey algorithm" for the signature from my
EDDSA subkey.
> There's also one
> other difference; The signature is no longer inline,
> but attached. Not that I expect that is relevant.
Yes, I accidentally used PGP/MIME instead of inline.
- --
Best regards
MFPA
Vegetarian: Indian word for lousy hunter!!!
-----BEGIN PGP SIGNATURE-----
iQF8BAEBCgBmBQJWa0INXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwtWsH/0pus4Fby0eWHiXwRMKeUStc
UiTWl/rE/w6wmnDA6gTqUuDZQSQoiJxS37xJjAHJmE0OESC/1IjUA1pTLsq+Hdwh
UkXUerOPjazzJhoLhMxAhCXshzxov89wARbeOSqr+J2IHukrgOt6tJ7jfCbmx6mm
S/9LJNyCQ81GoGAaMq2HvFnyOatAH7K0pIi9swehZ8XyorBQc7CeziO6NVgxsNAz
ieFKCXJYGdS32z6QAg7Et/pIzKU2xNstciVLNa5AXYZ2/5Z5wOvsPsahRCaSm+w9
bomPBfbyiFGp3dtPe8OBDGORdFjfqIHEwfkgTw3i+QImiGs8R3Ke/qZw4ojFC2iI
vgQBFgoAZgUCVmtCE18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45CUpAPwNDCXop+tmAs1zatvZDU9unmrE
7s9UEsiv+dhjvjZmwgD/WBOn4QBjSjp+lsChmRszLD/0UKS8QL/cC3L7lj+eWQU=
=xLr5
-----END PGP SIGNATURE-----
From 2014-667rhzu3dc-lists-groups at riseup.net Fri Dec 11 22:42:04 2015
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Fri, 11 Dec 2015 21:42:04 +0000
Subject: Error message "gpg: Can't check signature: Broken public key"
In-Reply-To: <5669788B.6010406@nordnet.fr>
References: <144345553.20151207235136@my_localhost>
<5666942F.2000404@fsij.org> <619034873.20151208224719@my_localhost>
<20151208232436.72780e07@abydos.stargate.org.uk>
<541836753.20151210005023@my_localhost> <5669788B.6010406@nordnet.fr>
Message-ID: <1039963885.20151211214204@my_localhost>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi
On Thursday 10 December 2015 at 1:05:15 PM, in
, Philip Jackson wrote:
> I'm using gpg2.0.22 on my desktop and I can never
> verify your emails (MFPA) - I always get from enigmail
> :
> "Unverified signature; the key type is not supported by
> your version of GnuPG"
> "Unverified signature
> UNTRUSTED BAD signature from
> 2014-667rhzu3dc-lists-groups at riseup.net
> <2014-667rhzu3dc-lists-groups at riseup.net>"
> Which is normal for an ECC key.
Except that "Unverified" is not the same as "BAD".
And Enigmail is failing to pass on GnuPG's output from verifing the
signature made with my RSA key.
> On my laptop, with Debian Jessie and gpg2.1.7, the
> signature verifies ok. Again normal for 2.1.x
Do both signatures verify correctly for you with 2.1.x, or does
Enigmail still only pass on the result of one of them?
- --
Best regards
MFPA
Time flies like an arrow. Fruit flies like a banana. -- Groucho Marx
-----BEGIN PGP SIGNATURE-----
iQF8BAEBCgBmBQJWa0MtXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwc+8IALf022WwZZ7EQWHopVGRaGjS
7z+nIQHzqjcdKa8GeCSkQlNO9BKG4sMZsi3gngsgbELKaqHNeIYbve3Y783vfFKT
3Yv7qayAS4B0ygkI90okOAH56ai7XUtu0blvphvx/IBE6w2VVqkFZXIrO8htJ3iS
KuJpYD9JyIz40bY8rgz3Hs2/B89XtOU8F/YEJd/374z4ptET7Wk7/xtijsGna0Bl
A+J8EVyY9GHGtX0qAb0MNR9IyvpkM9YX+fPx4XTKbIqM9KEbvaTq1UZCjZ8a+oOA
Pqo9pzUc502i6mscyHKFtDeOvlcnHSzTvAdFeN4vnWIZ8nJJxXzkZf/pJ3R2FX+I
vgQBFgoAZgUCVmtDLV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45Gw2AP0erl6yVwMdgznCBB+5Gh/gTyWq
8m1Cfce28LPcqqB8iAEAr9g2cKnk3oua/DWRksEndTUogjRF4/y3ieK/XFtoDQI=
=LPUB
-----END PGP SIGNATURE-----
From brad at fineby.me.uk Fri Dec 11 23:12:57 2015
From: brad at fineby.me.uk (Brad Rogers)
Date: Fri, 11 Dec 2015 22:12:57 +0000
Subject: Error message "gpg: Can't check signature: Broken public key"
In-Reply-To: <1662083054.20151211213556@my_localhost>
References: <144345553.20151207235136@my_localhost> <5666942F.2000404@fsij.org>
<619034873.20151208224719@my_localhost>
<20151208232436.72780e07@abydos.stargate.org.uk>
<541836753.20151210005023@my_localhost>
<20151210094631.4bd7fbd9@abydos.stargate.org.uk>
<1662083054.20151211213556@my_localhost>
Message-ID: <20151211221257.6bad2e8e@abydos.stargate.org.uk>
On Fri, 11 Dec 2015 21:35:56 +0000
MFPA <2014-667rhzu3dc-lists-groups at riseup.net> wrote:
Hello MFPA,
>1.4.x should verify the signature from my RSA subkey but report "Can't
>check signature: unknown pubkey algorithm" for the signature from my
>EDDSA subkey.
Unfortunately, GPGME and Claws Mail (probably) interfere with the error
reporting. No matter.....
--
Regards _
/ ) "The blindingly obvious is
/ _)rad never immediately apparent"
Loaded like a freight train flyin' like an aeroplane
Nightrain - Guns 'N' Roses
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL:
From brian at minton.name Fri Dec 11 22:55:46 2015
From: brian at minton.name (Brian Minton)
Date: Fri, 11 Dec 2015 16:55:46 -0500
Subject: Error message "gpg: Can't check signature: Broken public key"
In-Reply-To: <1039963885.20151211214204@my_localhost>
References: <144345553.20151207235136@my_localhost> <5666942F.2000404@fsij.org>
<619034873.20151208224719@my_localhost>
<20151208232436.72780e07@abydos.stargate.org.uk>
<541836753.20151210005023@my_localhost> <5669788B.6010406@nordnet.fr>
<1039963885.20151211214204@my_localhost>
Message-ID:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I got the following message:
rejected by import screener
Here's more detail (gpg 2.1.8 on Windows 8):
C:\Users\mintonb>gpg -vvv --recv 0x1712BC461AF778E4
gpg: using character set 'CP437'
gpg: data source: http://pgp.mit.edu:80
gpg: armor: BEGIN PGP PUBLIC KEY BLOCK
gpg: armor header: Version: SKS 1.1.5
gpg: armor header: Comment: Hostname: pgp.mit.edu
# off=0 ctb=99 tag=6 hlen=3 plen=269
:public key packet:
version 4, algo 1, created 1415500876, expires 0
pkey[0]: [2048 bits]
pkey[1]: [17 bits]
keyid: 251BCCEB547B7194
# off=272 ctb=b4 tag=13 hlen=2 plen=4
:user ID packet: "MFPA"
# off=278 ctb=89 tag=2 hlen=3 plen=322
:signature packet: algo 1, keyid 251BCCEB547B7194
version 4, created 1415582356, md5len 0, sigclass 0x13
digest algo 10, begin of digest 24 eb
hashed subpkt 27 len 1 (key flags: 01)
hashed subpkt 11 len 10 (pref-sym-algos: 13 9 8 12 7 3 11 10 4 2)
hashed subpkt 21 len 6 (pref-hash-algos: 10 9 8 11 3 2)
hashed subpkt 22 len 4 (pref-zip-algos: 3 2 1 0)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (key server preferences: 80)
hashed subpkt 2 len 4 (sig created 2014-11-10)
hashed subpkt 25 len 1 (primary user ID)
subpkt 16 len 8 (issuer key ID 251BCCEB547B7194)
data: [2048 bits]
# off=603 ctb=89 tag=2 hlen=3 plen=322
:signature packet: algo 1, keyid 251BCCEB547B7194
version 4, created 1441185092, md5len 0, sigclass 0x13
digest algo 10, begin of digest f2 40
hashed subpkt 27 len 1 (key flags: 01)
hashed subpkt 11 len 10 (pref-sym-algos: 13 9 8 12 7 3 11 10 4 2)
hashed subpkt 21 len 6 (pref-hash-algos: 10 9 8 11 3 2)
hashed subpkt 22 len 4 (pref-zip-algos: 3 2 1 0)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (key server preferences: 80)
hashed subpkt 2 len 4 (sig created 2015-09-02)
hashed subpkt 25 len 1 (primary user ID)
subpkt 16 len 8 (issuer key ID 251BCCEB547B7194)
data: [2042 bits]
# off=928 ctb=b4 tag=13 hlen=2 plen=18
:user ID packet: "0x251BCCEB547B7194"
# off=948 ctb=89 tag=2 hlen=3 plen=319
:signature packet: algo 1, keyid 251BCCEB547B7194
version 4, created 1416188694, md5len 0, sigclass 0x13
digest algo 10, begin of digest a3 61
hashed subpkt 27 len 1 (key flags: 01)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (key server preferences: 80)
hashed subpkt 2 len 4 (sig created 2014-11-17)
hashed subpkt 11 len 10 (pref-sym-algos: 13 9 8 12 7 3 11 10 4 2)
hashed subpkt 21 len 6 (pref-hash-algos: 10 9 8 11 3 2)
hashed subpkt 22 len 4 (pref-zip-algos: 3 2 1 0)
subpkt 16 len 8 (issuer key ID 251BCCEB547B7194)
data: [2048 bits]
# off=1270 ctb=89 tag=2 hlen=3 plen=319
:signature packet: algo 1, keyid 251BCCEB547B7194
version 4, created 1441185086, md5len 0, sigclass 0x13
digest algo 10, begin of digest 58 9d
hashed subpkt 27 len 1 (key flags: 01)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (key server preferences: 80)
hashed subpkt 11 len 10 (pref-sym-algos: 13 9 8 12 7 3 11 10 4 2)
hashed subpkt 21 len 6 (pref-hash-algos: 10 9 8 11 3 2)
hashed subpkt 22 len 4 (pref-zip-algos: 3 2 1 0)
hashed subpkt 2 len 4 (sig created 2015-09-02)
subpkt 16 len 8 (issuer key ID 251BCCEB547B7194)
data: [2045 bits]
# off=1592 ctb=89 tag=2 hlen=3 plen=319
:signature packet: algo 1, keyid 251BCCEB547B7194
version 4, created 1416145056, md5len 0, sigclass 0x13
digest algo 10, begin of digest 30 1c
hashed subpkt 2 len 4 (sig created 2014-11-16)
hashed subpkt 27 len 1 (key flags: 01)
hashed subpkt 11 len 10 (pref-sym-algos: 13 9 8 12 7 3 11 10 4 2)
hashed subpkt 21 len 6 (pref-hash-algos: 10 9 8 11 3 2)
hashed subpkt 22 len 4 (pref-zip-algos: 3 2 1 0)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (key server preferences: 80)
subpkt 16 len 8 (issuer key ID 251BCCEB547B7194)
data: [2044 bits]
# off=1914 ctb=b4 tag=13 hlen=2 plen=81
:user ID packet: "2014-667rhzu3dc-lists-groups at riseup.net <2014-667rhzu3dc-lists
- -groups at riseup.net>"
# off=1997 ctb=89 tag=2 hlen=3 plen=319
:signature packet: algo 1, keyid 251BCCEB547B7194
version 4, created 1441159293, md5len 0, sigclass 0x13
digest algo 10, begin of digest 96 2d
hashed subpkt 27 len 1 (key flags: 01)
hashed subpkt 11 len 10 (pref-sym-algos: 13 9 8 12 7 3 11 10 4 2)
hashed subpkt 21 len 6 (pref-hash-algos: 10 9 8 11 3 2)
hashed subpkt 22 len 4 (pref-zip-algos: 3 2 1 0)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (key server preferences: 80)
hashed subpkt 2 len 4 (sig created 2015-09-02)
subpkt 16 len 8 (issuer key ID 251BCCEB547B7194)
data: [2046 bits]
# off=2319 ctb=89 tag=2 hlen=3 plen=319
:signature packet: algo 1, keyid 251BCCEB547B7194
version 4, created 1415582302, md5len 0, sigclass 0x13
digest algo 10, begin of digest cd 16
hashed subpkt 2 len 4 (sig created 2014-11-10)
hashed subpkt 27 len 1 (key flags: 01)
hashed subpkt 11 len 10 (pref-sym-algos: 13 9 8 12 7 3 11 10 4 2)
hashed subpkt 21 len 6 (pref-hash-algos: 10 9 8 11 3 2)
hashed subpkt 22 len 4 (pref-zip-algos: 3 2 1 0)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (key server preferences: 80)
subpkt 16 len 8 (issuer key ID 251BCCEB547B7194)
data: [2047 bits]
# off=2641 ctb=b8 tag=14 hlen=2 plen=86
:public sub key packet:
version 4, algo 18, created 1415574475, expires 0
pkey[0]: [72 bits] nistp256 (1.2.840.10045.3.1.7)
pkey[1]: [515 bits]
pkey[2]: [32 bits]
keyid: 6ACDDA063F6FC8DE
# off=2729 ctb=89 tag=2 hlen=3 plen=287
:signature packet: algo 1, keyid 251BCCEB547B7194
version 4, created 1415574475, md5len 0, sigclass 0x18
digest algo 10, begin of digest f8 e2
hashed subpkt 2 len 4 (sig created 2014-11-09)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID 251BCCEB547B7194)
data: [2047 bits]
# off=3019 ctb=89 tag=2 hlen=3 plen=287
:signature packet: algo 1, keyid 251BCCEB547B7194
version 4, created 1421371951, md5len 0, sigclass 0x28
digest algo 10, begin of digest 64 f3
hashed subpkt 2 len 4 (sig created 2015-01-16)
hashed subpkt 29 len 1 (revocation reason 0x03 ())
subpkt 16 len 8 (issuer key ID 251BCCEB547B7194)
data: [2045 bits]
# off=3309 ctb=b8 tag=14 hlen=2 plen=87
:public sub key packet:
version 4, algo 18, created 1417809993, expires 0
pkey[0]: [80 bits] brainpoolP256r1 (1.3.36.3.3.2.8.1.1.7)
pkey[1]: [515 bits]
pkey[2]: [32 bits]
keyid: 4793107F2C53A3B6
# off=3398 ctb=89 tag=2 hlen=3 plen=287
:signature packet: algo 1, keyid 251BCCEB547B7194
version 4, created 1417809993, md5len 0, sigclass 0x18
digest algo 10, begin of digest 8c 6d
hashed subpkt 2 len 4 (sig created 2014-12-05)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID 251BCCEB547B7194)
data: [2045 bits]
# off=3688 ctb=b9 tag=14 hlen=3 plen=269
:public sub key packet:
version 4, algo 1, created 1415502447, expires 0
pkey[0]: [2048 bits]
pkey[1]: [17 bits]
keyid: 6B7C74CEB31F25F0
# off=3960 ctb=89 tag=2 hlen=3 plen=670
:signature packet: algo 1, keyid 251BCCEB547B7194
version 4, created 1415502447, md5len 0, sigclass 0x18
digest algo 10, begin of digest fa 7d
hashed subpkt 2 len 4 (sig created 2014-11-09)
hashed subpkt 27 len 1 (key flags: 02)
subpkt 16 len 8 (issuer key ID 251BCCEB547B7194)
subpkt 32 len 380 (signature: v4, class 0x19, algo 1, digest algo 10)
data: [2046 bits]
# off=4633 ctb=b9 tag=14 hlen=3 plen=269
:public sub key packet:
version 4, algo 1, created 1415502602, expires 0
pkey[0]: [2048 bits]
pkey[1]: [17 bits]
keyid: 8D69E0E6BAE157F8
# off=4905 ctb=89 tag=2 hlen=3 plen=287
:signature packet: algo 1, keyid 251BCCEB547B7194
version 4, created 1415502602, md5len 0, sigclass 0x18
digest algo 10, begin of digest 6e e7
hashed subpkt 2 len 4 (sig created 2014-11-09)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID 251BCCEB547B7194)
data: [2048 bits]
gpg: pub rsa2048/251BCCEB547B7194 2014-11-09 MFPA
gpg: key 251BCCEB547B7194: rejected by import screener
gpg: Total number processed: 1
C:\Users\mintonb>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iF4EAREIAAYFAlZrRbcACgkQa46zoGXPuqnBjAD6A4EWvTcfWVK1mpfN+zWDRARe
myNNWmjDUAsYqaqn9IAA/iBHS/7vUJtBJgMCxbT69VRYZ/qkvjqGlb3Ti48aGbId
=JhPl
-----END PGP SIGNATURE-----
From david at gbenet.com Sat Dec 12 11:59:01 2015
From: david at gbenet.com (david at gbenet.com)
Date: Sat, 12 Dec 2015 10:59:01 +0000
Subject: Merry Christmas
Message-ID: <566BFDF5.3080005@gbenet.com>
-- http://www.bbc.com/news/uk-35058761
David
?See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the
kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No
delusion.? https://linuxcounter.net/user/512854.html - http://gbenet.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL:
From philip.jackson at nordnet.fr Sun Dec 13 00:11:05 2015
From: philip.jackson at nordnet.fr (Philip Jackson)
Date: Sun, 13 Dec 2015 00:11:05 +0100
Subject: Error message "gpg: Can't check signature: Broken public key"
In-Reply-To: <1039963885.20151211214204@my_localhost>
References: <144345553.20151207235136@my_localhost>
<5666942F.2000404@fsij.org> <619034873.20151208224719@my_localhost>
<20151208232436.72780e07@abydos.stargate.org.uk>
<541836753.20151210005023@my_localhost> <5669788B.6010406@nordnet.fr>
<1039963885.20151211214204@my_localhost>
Message-ID: <566CA989.70902@nordnet.fr>
On 11/12/15 22:42, MFPA wrote:
>
>> > On my laptop, with Debian Jessie and gpg2.1.7, the
>> > signature verifies ok. Again normal for 2.1.x
> Do both signatures verify correctly for you with 2.1.x, or does
> Enigmail still only pass on the result of one of them?
>
I don't use the laptop regularly for mail but I did update its inbox
today just to check out what it does now.
gpg2.1.7 with enigmail 1.9a1 of 30 Nov 2015 verifies all your emails of
2015 as 'good signature'. However, when I look to see more details, the
verification behind the enigmail 'Details' button quotes key ID
0x547B7194 which is the RSA 2048 public key identity.
But when I look into the enigmail log, there I see that signatures were
made by both EDDSA subkey 0x1712BC461AF778E4 and RSA subkey
0x6B7C74CEB31F25F0.
Getting back to the desktop --
On my desktop with 2.0.22 with enigmail 1.9a1 of 8 Oct 2015, enigmail
provides differing info depending on whether you're inline or pgp/mime.
The latter gives the more alarming info behind enigmail's Details button
"Untrusted bad signature ...."
But again, enigmail's logfile shows both subkeys were used. Enigmail
doesn't use the available info which is there in the logfile wrt the RSA
key ...(I quote from the logfile)...
"using subkey 0x6B7C74CEB31F25F0 instead of primary key 0x251BCCEB547B7194
gpg: using PGP trust model
gpg: key 0x26BD500A23543A63: accepted as trusted key
gpg: Good signature from "MFPA" [unknown]
gpg: aka "2014-667rhzu3dc-lists-groups at riseup.net
<2014-667rhzu3dc-lists-groups at riseup.net>" [unknown]
gpg: aka "0x251BCCEB547B7194" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!"
Never mind the trust issue. The logfile does show "good signature".
Philip
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL:
From bober_182 at riseup.net Mon Dec 14 06:20:17 2015
From: bober_182 at riseup.net (bober)
Date: Mon, 14 Dec 2015 05:20:17 +0000
Subject: Tor Support for SKSkeyservers in 2.1
Message-ID: <566E5191.80506@riseup.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Greetings,
I am having trouble setting up TOR support for sks-keyservers in 2.1.
I recently migrated my system from an ubuntu install where I had this
in my gpg.conf file.
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=~/.gnupg/sks-keyservers.netCA.pem
keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050
Now that I am on Arch, and using the 2.1 GPG I need to change some
options to make this work.
I have the following in my dirmngr.conf
hkp-cacert ~/.gnupg/sks-keyservers.netCA.pem
And it works with out the
keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050
line in my gpg.conf
But then I don't have TOR support.
otherwise if I include it I get the following error message.
gpg: error searching keyserver: Configuration error
gpg: keyserver search failed: Configuration error
Regards, bober
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCgAGBQJWblGRAAoJEIjdyOfDrt8PWSEIAIM35Hk/g57mSaCqP20ECLYE
I05h3ww+NN20xzuzB129Wy/ZkMtwvWeCDodqgafbSsYUD08+HCh/NAkU31jdkQje
0kuQ4v9+pm1nI4DnBUzPNJwVE3o8CJx6mdQSWmPG6pQGexf5EiDS7ijV3W27rrV1
HTQnkYJYeOKWT5b9V8ZvOQNs1HZODpe1jCf9JLn1b7klqwcSVVpbqzXwT3E4BM+g
rbx5TWXGofn1YKkTfxtNKpTkY8ki3tqJN57ovhApOSvS+l+HJj6YClc9MtcUF04s
DIHVhzzyVyJdsfiiVQyE8kEJRAKjCcy3KB8cp0yqkmpKePsaNSNbY46AZ8rv/Ew=
=e/VP
-----END PGP SIGNATURE-----
From malte at wk3.org Mon Dec 14 10:46:57 2015
From: malte at wk3.org (Malte)
Date: Mon, 14 Dec 2015 10:46:57 +0100
Subject: Tor Support for SKSkeyservers in 2.1
In-Reply-To: <566E5191.80506@riseup.net>
References: <566E5191.80506@riseup.net>
Message-ID: <3480536.nM1hsSSNXB@localhost>
On Monday 14 December 2015 05:20 bober wrote:
> I am having trouble setting up TOR support for sks-keyservers in 2.1.
Hi,
the --use-tor option got introduced in 2.1.10:
https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030385.html
If you are using GnuPG in a version before 2.1.10 the following might help
you:
https://lists.gnupg.org/pipermail/gnupg-users/2015-September/054299.html
Sincerely,
Malte
From wk at gnupg.org Tue Dec 15 19:43:32 2015
From: wk at gnupg.org (Werner Koch)
Date: Tue, 15 Dec 2015 19:43:32 +0100
Subject: Tor Support for SKSkeyservers in 2.1
In-Reply-To: <566E5191.80506@riseup.net> (bober's message of "Mon, 14 Dec 2015
05:20:17 +0000")
References: <566E5191.80506@riseup.net>
Message-ID: <87wpsf4koa.fsf@vigenere.g10code.de>
On Mon, 14 Dec 2015 06:20, bober_182 at riseup.net said:
> keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050
A http proxy is not a socks proxy. These are different concepts. Tor
is implemented as a socks proxy and GnuPG before version 2.1.10 has no
support for this. See Malte's mails on how to work around this.
Note that the Tor support in 2.1.10 depends on how GnuPG was build.
Unless you are using the Windows installer you need to build against a
patched version of the ADNS library.
However, for all platforms you can use keyservers behind a onion address
- this works even if you do not put "use-tor" into dirmngr.conf.
Instead put
keyserver hkp://dyh2j3qyrirn43iw.onion
into dirmngr.conf and do _not_ put a keyserver option into gpg.conf.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 180 bytes
Desc: not available
URL:
From anthony at cajuntechie.org Tue Dec 15 23:58:21 2015
From: anthony at cajuntechie.org (Anthony Papillion)
Date: Tue, 15 Dec 2015 16:58:21 -0600
Subject: Can I pass the password from the command line?
Message-ID: <56709B0D.9060009@cajuntechie.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I'd like to script encryption and decryption from the command line. Is
there a way to pass the encryption passphrase to GnuPG from the
command line. For example:
gpg2 --encrypt --recipient --passphrase anthony at cajuntechie.org
SomePassphrase FileIWantToEncrypt
Is this possible at all? If so, how? Also, the same question for
decryption.
Thanks!
Anthony
- --
Phone: 1.845.666.1114
Skype: cajuntechie
PGP Key: 0x028ADF7453B04B15
Fingerprint: C5CE E687 DDC2 D12B 9063 56EA 028A DF74 53B0 4B15
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWcJsNAAoJEAKK33RTsEsVOWYP/0gJszoRDGauIsmMMqR+UWDF
Q4KkzzbqSNwJAc+xn+Rt1XnAYqK04cDfQjzAhTfJLnwGV47jfrS9GG/qfIPWgyv3
xilGvyrKXS2/YrNj+JGvcoN3S9jp2hrgXVoeqsx5Qiv7liG/NrajiStHnGXknqX5
lwXbuQ/o5BnHGS70s5mASGzgCWMUUxE5pB4EWJR247Dd0SevDBrE1XmEMxNFHoRj
yG4PXj1YVjaWQhNT/lF/fSZi49b0ufwovsciusQPxZmzPsd503KqS+qkwB6mAhur
mDu2BwqFu79qE4BJ3C4ccatbbxtfb6zmF703ChqnJLYef57Ox0mKnV8kxbHUSd+W
vViovg/ptSj60IH3ppS/pO3juma0KFQuFU8eztnzhvvTXnfWEik7d+Q6y9LRRLtM
x/Scujgjmk1SL3K15x8ZDnVOaQdit7q3Ylh6BKRnPnZiUWbd2UIDtrGXV9Av6Zrz
j4M0cuEdUVzMzwNie9SUstKcEoQ3mCBzVeIGVRv48MaNw40A1Q1e9g3P62/0zJJg
iqytI051E13bM/fF/uMt/j6OtpJHTXsfYHb3oYObmQGhMglReuPz4FbR3VcOSuc/
ge6zjcdkWrK5wGIRjCfjzQlEbEJZMzzchIQ7rnb7SJQw3VleBjHdzfQ+bi/6haxO
E6QOdTeRg9VbgsGFZaLx
=txgJ
-----END PGP SIGNATURE-----
From andrewg at andrewg.com Wed Dec 16 00:07:04 2015
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Tue, 15 Dec 2015 23:07:04 +0000
Subject: Can I pass the password from the command line?
In-Reply-To: <56709B0D.9060009@cajuntechie.org>
References: <56709B0D.9060009@cajuntechie.org>
Message-ID: <6F342058-3097-40A8-B3F3-7299C52188CE@andrewg.com>
> On 15 Dec 2015, at 22:58, Anthony Papillion wrote:
>
> I'd like to script encryption and decryption from the command line. Is
> there a way to pass the encryption passphrase to GnuPG from the
> command line.
I don't think there is a password parameter, and I'd strongly recommend not doing it even if there was. Many OSes make the command line parameters of processes available to any local user.
Have you tried piping the password to stdin?
Andrew
From anthony at cajuntechie.org Wed Dec 16 00:21:44 2015
From: anthony at cajuntechie.org (Anthony Papillion)
Date: Tue, 15 Dec 2015 17:21:44 -0600
Subject: Can I pass the password from the command line?
In-Reply-To: <6F342058-3097-40A8-B3F3-7299C52188CE@andrewg.com>
References: <56709B0D.9060009@cajuntechie.org>
<6F342058-3097-40A8-B3F3-7299C52188CE@andrewg.com>
Message-ID: <5670A088.8080903@cajuntechie.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 12/15/2015 5:07 PM, Andrew Gallagher wrote:
>
>> On 15 Dec 2015, at 22:58, Anthony Papillion
>> wrote:
>>
>> I'd like to script encryption and decryption from the command
>> line. Is there a way to pass the encryption passphrase to GnuPG
>> from the command line.
>
> I don't think there is a password parameter, and I'd strongly
> recommend not doing it even if there was. Many OSes make the
> command line parameters of processes available to any local user.
>
> Have you tried piping the password to stdin?
>
> Andrew
Thank you for the quick answer, Andrew. After thinking about it, I can
see the absolute folly of having something set up the way I requested
and I appreciate you pointing that out. I had not thought about piping
to stdin - never even crossed my mind!
Thanks again!
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWcKCIAAoJEAKK33RTsEsVSPMQALJOsQ3u7RYyERyPoJUtde8W
bTTLaAXnfFmmhB/3EzNQBcrs0fPqc4uQ1UrB3iWITqA0rbf+9asrPETDaR3Ev2xq
ilmpuZAO678NetEcG1Pc7w0gM9hNd8hDQcolRECYRBXfoPchTxGI3jaYjd3IKuOa
W1jyUohW0kSkXg98m8GKkCrNTzLwePNWn9COXn7494Kq9rQLQ5+kCQmpjtSN64QY
AXhVo0JF8xK55QPcMlnW6F5N93jLHneY+ymyK36hF3NFQL1X7r0BKtvby9SNhon6
kq+3yd6YLw8mjAEplgKPRHYerKPjrdUNVS4PtbI7hcoO4EaPK2e8Wdrg4kfAokSV
q++n3ATsKResldBEZr6NOX425N5AmhIhtkMJt2l18V5mcyhWNwqpi4qkPwMmMlGA
uqPe1zjXAaGuouWdjo96HDDZvmZLrYo92fE3Or3oK9HyZMwn9i2+rTlqPuOFgXmR
VizXt04AZLKTDaC5X0VGMSsVLinmIDw0t+iky9jHfcttWpyPVHexozWLVosN7rJ2
+pSb5bU7HOZEUOXwaERzx/k5885m8hDkAIXuKscFHETLnTMXc00S3kZOMNdbqyRw
2NuL6FIA0VOGKZrJ/vUtHxyP16qjirlVRtsheX+MlXmUqYHEJDm6Cw4S3FtEZKo9
r6SnsxzigqY6CvbHOyGs
=4k1n
-----END PGP SIGNATURE-----
From sbutler at fchn.com Wed Dec 16 00:21:13 2015
From: sbutler at fchn.com (Steve Butler)
Date: Tue, 15 Dec 2015 23:21:13 +0000
Subject: Can I pass the password from the command line?
In-Reply-To: <6F342058-3097-40A8-B3F3-7299C52188CE@andrewg.com>
References: <56709B0D.9060009@cajuntechie.org>,
<6F342058-3097-40A8-B3F3-7299C52188CE@andrewg.com>
Message-ID:
There is under 1.4. Don't know if it is in v2. I'm not at my desk to pop the script open. But you could pipe the passphrase via stain and tell gpg to grab it from there. Be careful as that still leaves it in the clear to those reading your script. Potential local users could also see it if you echo'd it to the pipe.
Sent from my Verizon Wireless 4G LTE smartphone
-------- Original message --------
From: Andrew Gallagher
Date: 12/15/2015 15:09 (GMT-08:00)
To: Anthony Papillion
Cc: gnupg-users at gnupg.org
Subject: Re: Can I pass the password from the command line?
> On 15 Dec 2015, at 22:58, Anthony Papillion wrote:
>
> I'd like to script encryption and decryption from the command line. Is
> there a way to pass the encryption passphrase to GnuPG from the
> command line.
I don't think there is a password parameter, and I'd strongly recommend not doing it even if there was. Many OSes make the command line parameters of processes available to any local user.
Have you tried piping the password to stdin?
Andrew
_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From marioxcc.MT at yandex.com Wed Dec 16 01:27:06 2015
From: marioxcc.MT at yandex.com (=?UTF-8?Q?Mario_Castel=c3=a1n_Castro?=)
Date: Tue, 15 Dec 2015 18:27:06 -0600
Subject: Can I pass the password from the command line?
In-Reply-To: <5670A088.8080903@cajuntechie.org>
References: <56709B0D.9060009@cajuntechie.org>
<6F342058-3097-40A8-B3F3-7299C52188CE@andrewg.com>
<5670A088.8080903@cajuntechie.org>
Message-ID: <5670AFDA.7090204@yandex.com>
El 15/12/15 a las 17:21, Anthony Papillion escribi?:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 12/15/2015 5:07 PM, Andrew Gallagher wrote:
>>
>>> On 15 Dec 2015, at 22:58, Anthony Papillion
>>> wrote:
>>>
>>> I'd like to script encryption and decryption from the command
>>> line. Is there a way to pass the encryption passphrase to GnuPG
>>> from the command line.
>>
>> I don't think there is a password parameter, and I'd strongly
>> recommend not doing it even if there was. Many OSes make the
>> command line parameters of processes available to any local user.
>>
>> Have you tried piping the password to stdin?
>>
>> Andrew
>
> Thank you for the quick answer, Andrew. After thinking about it, I can
> see the absolute folly of having something set up the way I requested
> and I appreciate you pointing that out. I had not thought about piping
> to stdin - never even crossed my mind!
>
> Thanks again!
I recall that there is an option "--passphrase-file", which can be used
to pass the password programatically. Of course, make sure that the file
has secure permissions since it's created (or at least, written to) to
store the password.
From erkan77 at gmail.com Wed Dec 16 05:53:01 2015
From: erkan77 at gmail.com (Erkan Yilmaz)
Date: Wed, 16 Dec 2015 05:53:01 +0100
Subject: end-of-life for libgcrypt 1.5.x
Message-ID:
Hello,
is this info (1), from 2014 August, still valid ?
Thank you,
Erkan
(1) "Declare 2016-12-31 as end-of-life for 1.5."
https://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000351.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From fabian at fstab.de Wed Dec 16 11:51:51 2015
From: fabian at fstab.de (Fabian =?iso-8859-1?Q?St=E4ber?=)
Date: Wed, 16 Dec 2015 11:51:51 +0100
Subject: character encoding differs in gpg and gpg2
Message-ID: <20151216105151.GA950@lessing.int.consol.de>
Hello,
sorry if this has been asked before, but I didn't find it on google:
If I call gpg, it uses charset utf-8.
If I call gpg2, it uses charset US-ASCII.
My locale is en_US.UTF-8.
My name has a special character. 'gpg --edit-key' shows it correctly, 'gpg2 --edit-key' does not.
I am wondering what other users will most likely see when they get my key from the keyserver?
Is my key correct and gpg2 wrong, or is my key wrong and gpg2 correct?
Thanks a lot
Fabian
P.S.: gpg is version 1.4.19, gpg2 is version 2.0.29, I am using iTerm on OS X.
From wk at gnupg.org Wed Dec 16 13:48:14 2015
From: wk at gnupg.org (Werner Koch)
Date: Wed, 16 Dec 2015 13:48:14 +0100
Subject: end-of-life for libgcrypt 1.5.x
In-Reply-To:
(Erkan Yilmaz's message of "Wed, 16 Dec 2015 05:53:01 +0100")
References:
Message-ID: <87zixa36gh.fsf@vigenere.g10code.de>
On Wed, 16 Dec 2015 05:53, erkan77 at gmail.com said:
> is this info (1), from 2014 August, still valid ?
> (1) "Declare 2016-12-31 as end-of-life for 1.5."
Sure.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From erkan77 at gmail.com Wed Dec 16 14:10:46 2015
From: erkan77 at gmail.com (Erkan Yilmaz)
Date: Wed, 16 Dec 2015 14:10:46 +0100
Subject: end-of-life for libgcrypt 1.5.x
In-Reply-To: <87zixa36gh.fsf@vigenere.g10code.de>
References:
<87zixa36gh.fsf@vigenere.g10code.de>
Message-ID:
Hello Werner,
thank you very much for the confirmation.
Have a nice day,
Erkan
On Wed, Dec 16, 2015 at 1:48 PM, Werner Koch wrote:
> On Wed, 16 Dec 2015 05:53, erkan77 at gmail.com said:
>
> > is this info (1), from 2014 August, still valid ?
>
> > (1) "Declare 2016-12-31 as end-of-life for 1.5."
>
> Sure.
>
>
> Shalom-Salam,
>
> Werner
>
> --
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From jarlelistsubscriber at gmail.com Wed Dec 16 17:19:07 2015
From: jarlelistsubscriber at gmail.com (Jarle Hammen Knudsen)
Date: Wed, 16 Dec 2015 17:19:07 +0100
Subject: Get gpg to use keyring files in the current directory
Message-ID: <56718EFB.6000006@gmail.com>
I'm trying to get gpg to create and use keyryring files in the current
directory.
In e:\test I have this options file named test.conf :
utf8-strings
no-default-keyring
keyring test-public.keyring
secret-keyring test-secret.keyring
If I cd to e:\test and use this command line:
gpg --gen-key --options test.conf
the keyrings are not created in the current directory, but in
C:\Users\username\AppData\Roaming\gnupg
The options file is read, since the keyring files use the specified names.
I'm using gpg to encrypt small backup files which will be decrypted by
non-tech-savvy users that do not
usually use gpg. I'm going to store the keyrings ready for use on a
USB-stick and will not know the absolute path
to the keyfiles.
Any suggestions?
gpg (GnuPG) 2.0.29 (Gpg4win 2.3.0)
Windows 10
From sbutler at fchn.com Wed Dec 16 18:30:18 2015
From: sbutler at fchn.com (Steve Butler)
Date: Wed, 16 Dec 2015 17:30:18 +0000
Subject: Get gpg to use keyring files in the current directory
In-Reply-To: <56718EFB.6000006@gmail.com>
References: <56718EFB.6000006@gmail.com>
Message-ID: <1e14659a5fba44afb4c0dd613dde8e85@t1l1exchmbs-01.fchn.com>
Either set --homedir on the command line or in the options file.
-----Original Message-----
From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Jarle Hammen Knudsen
Sent: Wednesday, December 16, 2015 8:19 AM
To: Gnupg-users at gnupg.org
Subject: Get gpg to use keyring files in the current directory
I'm trying to get gpg to create and use keyryring files in the current directory.
In e:\test I have this options file named test.conf :
utf8-strings
no-default-keyring
keyring test-public.keyring
secret-keyring test-secret.keyring
If I cd to e:\test and use this command line:
gpg --gen-key --options test.conf
the keyrings are not created in the current directory, but in C:\Users\username\AppData\Roaming\gnupg
The options file is read, since the keyring files use the specified names.
I'm using gpg to encrypt small backup files which will be decrypted by non-tech-savvy users that do not usually use gpg. I'm going to store the keyrings ready for use on a USB-stick and will not know the absolute path to the keyfiles.
Any suggestions?
gpg (GnuPG) 2.0.29 (Gpg4win 2.3.0)
Windows 10
_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
From anthony at cajuntechie.org Wed Dec 16 20:41:00 2015
From: anthony at cajuntechie.org (Anthony Papillion)
Date: Wed, 16 Dec 2015 13:41:00 -0600
Subject: QC resistant algorithms?
Message-ID: <5671BE4C.5010601@cajuntechie.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
While I know it's not a big concern at the moment, we are well on the
way to a future that includes quantum computing. While some in the
computer science and crypto fields say we won't see a crypto breaking
quantum computer for another 30+ years, others are putting it closer
to 10 and even 5-6.
Regardless of what the actual timeframe is, I'm wondering what work is
being done in GnuPG to implement QC resistant asymmetric algorithms?
Perhaps a better question, and I have done very little research into
this specifically I admit, /are/ there any QC resistant asymmetric
algorithms to implement or will we need to come up with something
completely different?
Anthony
- --
Phone: 1.845.666.1114
Skype: cajuntechie
PGP Key: 0x028ADF7453B04B15
Fingerprint: C5CE E687 DDC2 D12B 9063 56EA 028A DF74 53B0 4B15
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWcb5LAAoJEAKK33RTsEsVplkP/RMkSuX5mPHJoetvkui/1scJ
/g2VyHhZz7L2YMwOpXdDxmN40/6aFIopNcBt1DvnRqG9SFeVKIRFW9ndIhr2GhFk
DSQPpQrunK5xSERgw+PKIvECsJoaEB2uG3wV/us7wuqd8d2iqnFVNtM8OFqiUp6e
rz9T8XAgZg/2pKJDt3XFjRhq8E1rUbm1Sby3I0DwZwRefc+lDA+Iju19G5BYuUn1
oklCwLadpg/6+qngXzUaXSjGLNEl6UEK7NumBuDW68x1M9D4xBHXDuH1NbHTzEjB
UuL2kzb5bLZpnQSYL1n259p+PWzQnX/V/HvwWahh/+wkcpPjMo3RMpt/Q2Z9Zm74
vn1Ob54rUaWqcl5b03Hy7mvXZW/ZHADwv2rKnjUEvxeKpF7yakgk9iK7U5J/iGFB
O/9BEEkc834sZ/iZRwTUQPKurDZ+We4/kW8jNfCcZmDl7lIiCXGGr91leMRYflLR
kc+8rS+7iRA9u4EH/hPWJ1iqERQt/0brfN4YvrEpUQWGtaXboRQJk3pTRV7WB4oH
367nJEEwPp0JnviFVD1PN4MoLYtIFkatEcIvku6s+gxWsVRkkEUqdNKRA5kKY/Sb
3zAKEjpcW03hc/h+0KvYSRGUOYCcB4y3PM+P/cwYRAU9lBcZJ5jEKbAkCJR7I11F
ek76H2BMUuVqmxPVtGIN
=eH5A
-----END PGP SIGNATURE-----
From lachlan at twopif.net Wed Dec 16 21:14:29 2015
From: lachlan at twopif.net (Lachlan Gunn)
Date: Wed, 16 Dec 2015 21:14:29 +0100
Subject: QC resistant algorithms?
In-Reply-To: <5671BE4C.5010601@cajuntechie.org>
References: <5671BE4C.5010601@cajuntechie.org>
Message-ID:
Long story short, there exist algorithms that are hypothesised tho be
QC-resistant, though as far as I know nothing is proven in that
respect. Those that do exist, there's still a substantial possibility
that they'll be broken. Key and signature sizes are generally large,
kilobytes to megabytes.
Certainly nothing is standardised, let alone being ready to go into OpenPGP.
This is all outside of my area, so someone please correct me if I'm way off.
Thanks,
Lachlan
From kloecker at kde.org Wed Dec 16 21:17:11 2015
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Wed, 16 Dec 2015 21:17:11 +0100
Subject: QC resistant algorithms?
In-Reply-To: <5671BE4C.5010601@cajuntechie.org>
References: <5671BE4C.5010601@cajuntechie.org>
Message-ID: <1751464.p7NrN1UKX4@thufir>
On Wednesday 16 December 2015 13:41:00 Anthony Papillion wrote:
> While I know it's not a big concern at the moment, we are well on the
> way to a future that includes quantum computing. While some in the
> computer science and crypto fields say we won't see a crypto breaking
> quantum computer for another 30+ years, others are putting it closer
> to 10 and even 5-6.
>
> Regardless of what the actual timeframe is, I'm wondering what work is
> being done in GnuPG to implement QC resistant asymmetric algorithms?
> Perhaps a better question, and I have done very little research into
> this specifically I admit, /are/ there any QC resistant asymmetric
> algorithms to implement or will we need to come up with something
> completely different?
Yes.
You might want to continue your research at
https://en.wikipedia.org/wiki/Post-quantum_cryptography
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL:
From anthony at cajuntechie.org Wed Dec 16 21:22:13 2015
From: anthony at cajuntechie.org (Anthony Papillion)
Date: Wed, 16 Dec 2015 14:22:13 -0600
Subject: QC resistant algorithms?
In-Reply-To:
References: <5671BE4C.5010601@cajuntechie.org>
Message-ID: <5671C7F5.5020508@cajuntechie.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 12/16/2015 2:14 PM, Lachlan Gunn wrote:
> Long story short, there exist algorithms that are hypothesised tho
> be QC-resistant, though as far as I know nothing is proven in that
> respect. Those that do exist, there's still a substantial
> possibility that they'll be broken. Key and signature sizes are
> generally large, kilobytes to megabytes.
>
> Certainly nothing is standardised, let alone being ready to go into
> OpenPGP.
>
> This is all outside of my area, so someone please correct me if I'm
> way off.
This is sort of what I'd gathered from the brief reading I've done
about the situation. I'm sure there's a lot of research going on in
the area and I certainly hope "we beat them to it".
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWccf1AAoJEAKK33RTsEsV8dgP/03RIj2PId9g8WXMKlyC8ZtF
uC2P+TKaNOJk+p3IkuGE7ot7+eqskyPfAemhpYERqsJksAUg834zrHDMwYVryARy
HtZGopBRyBKrW9i9gP/CNU9vDSzXULW01C4x5nzotlwviK3JEXhln5MTr76Ll9w8
gzBaB362Qfu4gs35UY5tFr+c6G5mlNmDkPL94ihjw7aQdgp8bqZH1E56BUGIry9b
jdzP5TiZcdlh6+aqL5p6wiQ/fiJJ+5pPd+mmlqFVIvDABHAjOTfdsPi2NRe/NnHl
1IG7Ooa16MmKWkycFqvlCZull/hQjMVrIquwLIMH0+rlt4w7WhweJGMZ22D0ebru
Nq8P04v3WqgO+Teyur0/DvCIu/L6OBqOxUWnm+RYCQyDUtCpeYZ/lDdckFnqzQWt
l1Ge0gbb9TLkv5waOxw0kaXKvUQyRisyJ+pM3nHu4rs36yFM+fMIiRoZl0zLIV0G
ba1ucJziTiU307kkQD+pnQQSCHd8tcFt225EpXXNzjcqX9s+rnSQicoupFv+uy0C
VX9AdFoWkX2evUPScYMOZdfBL+OFHVaOHDXrZNpHXXVLBp9hncsP1cg71y3fo3kd
ff87wiz5/bbQ3/2UBtdAXqVwxdD2MGATrpKDLucJanR3XEnkVXjv4r7ixwjoxryp
oNBWxSS+TynaZDHP+xbU
=8Uxp
-----END PGP SIGNATURE-----
From rjh at sixdemonbag.org Wed Dec 16 23:21:21 2015
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 16 Dec 2015 17:21:21 -0500
Subject: QC resistant algorithms?
In-Reply-To:
References: <5671BE4C.5010601@cajuntechie.org>
Message-ID: <5671E3E1.4070004@sixdemonbag.org>
> Long story short, there exist algorithms that are hypothesised tho be
> QC-resistant, though as far as I know nothing is proven in that
> respect.
The one-time pad is proven QC resistant.
With respect to hypothesis, remember that *none* of the ciphers in
OpenPGP are proven to be resistant against even classical computers, and
we won't until there's a solid proof that P != NP. QC-resistant
algorithms are in much the same state: a formal proof that an algorithm
was QC-resistant would be breathtaking and shocking, and possibly on the
level of a P != NP proof.
> Those that do exist, there's still a substantial possibility
> that they'll be broken.
Some. Others look quite solid -- e.g., Lamport signatures.
From rjh at sixdemonbag.org Wed Dec 16 23:25:26 2015
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 16 Dec 2015 17:25:26 -0500
Subject: QC resistant algorithms?
In-Reply-To: <5671C7F5.5020508@cajuntechie.org>
References: <5671BE4C.5010601@cajuntechie.org>
<5671C7F5.5020508@cajuntechie.org>
Message-ID: <5671E4D6.1060204@sixdemonbag.org>
> This is sort of what I'd gathered from the brief reading I've done
> about the situation. I'm sure there's a lot of research going on in
> the area and I certainly hope "we beat them to it".
If I remember correctly, we definitely already have -- a while ago I saw
some paper claiming to be a proof that McEliece was NP-HARD. If that's
true, I'm willing to say McEliece is QC-immune, because a QC attack on
an NP-HARD problem is currently pretty much unimaginable.
From mls at dabpunkt.eu Thu Dec 17 00:09:10 2015
From: mls at dabpunkt.eu (Daniel Baur)
Date: Thu, 17 Dec 2015 00:09:10 +0100
Subject: character encoding differs in gpg and gpg2
In-Reply-To: <20151216105151.GA950@lessing.int.consol.de>
References: <20151216105151.GA950@lessing.int.consol.de>
Message-ID: <5671EF16.9020002@dabpunkt.eu>
Hello,
Am 16.12.2015 um 11:51 schrieb Fabian St?ber:
> My name has a special character. 'gpg --edit-key' shows it correctly,
> 'gpg2 --edit-key' does not.
either gpg or gpg2 show the umlaut in your key correct here. My locale
is LC_ALL=de_DE.UTF-8.
Sincerely,
DaB.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 880 bytes
Desc: OpenPGP digital signature
URL:
From rjh at sixdemonbag.org Thu Dec 17 21:29:22 2015
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 17 Dec 2015 15:29:22 -0500
Subject: MIT Tech Review on user error
Message-ID: <56731B22.7060603@sixdemonbag.org>
MIT's Technology Review has a good article on how user error tends to
subvert communications security. It's probably not news to people here,
but it might be worth sharing with your less-technical friends.
http://www.technologyreview.com/news/544516/user-error-compromises-many-encrypted-communication-apps/
From gnupgpacker at on.yourweb.de Sun Dec 20 10:44:58 2015
From: gnupgpacker at on.yourweb.de (gnupgpacker)
Date: Sun, 20 Dec 2015 10:44:58 +0100
Subject: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta...
Message-ID: <000601d13b0b$16f72630$44e57290$@on.yourweb.de>
Hello,
I did install Gpg4win-3.0 beta (with gpg 2.1.10 included). All older pub/sec
keys are imported with Kleopatra, gpg encryption / decryption is working.
But if using GPGrelay 0.9.6, while starting it displays attached error
message. There seems to be a different key storing location or key format
between 1.4x and 2.1x versions, isn't it?
How to supply keys for GPGrelay in 1.4x format? Is there any way to export
it from Kleopatra? Correct location?
Thx + regards, Chris
[ http://sourceforge.net/projects/gpgrelay/ ]
[ https://wiki.gnupg.org/Gpg4win/Testversions ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: relay.png
Type: image/png
Size: 3618 bytes
Desc: not available
URL:
From wk at gnupg.org Sun Dec 20 13:16:04 2015
From: wk at gnupg.org (Werner Koch)
Date: Sun, 20 Dec 2015 13:16:04 +0100
Subject: [Announce] GnuPG 1.4.20 released
Message-ID: <878u4puxh7.fsf@vigenere.g10code.de>
Hello!
We are pleased to announce the availability of a new GnuPG classic
release: Version 1.4.20. This release finally rejects all MD5 based
signatures; see below for details.
What is GnuPG
=============
The GNU Privacy Guard (GnuPG) is a complete and free implementation of
the OpenPGP standard as defined by RFC-4880 and better known as PGP.
GnuPG, also known as GPG, allows to encrypt and sign data and
communication, features a versatile key management system as well as
access modules for public key directories. GnuPG itself is a command
line tool with features for easy integration with other applications.
A wealth of frontend applications and libraries making use of GnuPG
are available.
GnuPG is Free Software (meaning that it respects your freedom). It can
be freely used, modified and distributed under the terms of the GNU
General Public License.
Three different versions of GnuPG are actively maintained:
- GnuPG "modern" (2.1) is the latest development with a lot of new
features.
- GnuPG "stable" (2.0) is the current stable version for general use.
This is what most users are currently using.
- GnuPG "classic" (1.4) is the old standalone version which is most
suitable for older platforms or if there is a need to handle PGP-2
messages. This announcement is about a release of this version.
You may not install "modern" (2.1) and "stable" (2.0) at the same
time. However, it is possible to install "classic" (1.4) along with
any of the other versions.
What's New in GnuPG 1.4.20
==========================
* Reject signatures made using the MD5 hash algorithm unless the
new option --allow-weak-digest-algos or --pgp2 are given.
* New option --weak-digest to specify hash algorithms which
should be considered weak.
* Changed default cipher for symmetric-only encryption to AES-128.
* Fix for DoS when importing certain garbled secret keys.
* Improved error reporting for secret subkey w/o corresponding public
subkey.
* Improved error reporting in decryption due to wrong algorithm.
* Fix cluttering of stdout with trustdb info in double verbose mode.
* Pass a DBUS envvar to gpg-agent for use by gnome-keyring.
Getting the Software
====================
Please follow the instructions found at https://gnupg.org/download/ or
read on:
GnuPG 1.4.20 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server. The list of mirrors can be found
at https://gnupg.org/mirrors.html . Note that GnuPG is not available
at ftp.gnu.org.
On ftp.gnupg.org you find these files:
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.20.tar.bz2 (3606k)
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.20.tar.bz2.sig
This is the GnuPG 1.4.20 source code compressed using BZIP2 and its
OpenPGP signature.
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.20.tar.gz (5036k)
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.20.tar.gz.sig
This is the same GnuPG 1.4.20 source code compressed using GZIP and its
OpenPGP signature.
ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.20.exe (2359k)
ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.20.exe.sig
This is GnuPG 1.4.20 compiled for Microsoft Windows and its OpenPGP
signature. This is a command line only version; the source files are
the same as above. Note, that this is a minimal installer and unless
you are only in need for the simple the gpg binary, you are better off
using the full featured installer at https://www.gpg4win.org .
To download the files via https use these URLs:
https://gnupg.org/ftp/gcrypt/gnupg/gnupg-1.4.20.tar.bz2
https://gnupg.org/ftp/gcrypt/gnupg/gnupg-1.4.20.tar.bz2.sig
https://gnupg.org/ftp/gcrypt/gnupg/gnupg-1.4.20.tar.gz
https://gnupg.org/ftp/gcrypt/gnupg/gnupg-1.4.20.tar.gz.sig
https://gnupg.org/ftp/gcrypt/binary/gnupg-w32cli-1.4.20.exe
https://gnupg.org/ftp/gcrypt/binary/gnupg-w32cli-1.4.20.exe.sig
Checking the Integrity
======================
In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:
* If you already have a version of GnuPG installed, you can simply
verify the supplied signature. For example to verify the signature
of the file gnupg-1.4.20.tar.bz2 you would use this command:
gpg --verify gnupg-1.4.20.tar.bz2.sig gnupg-1.4.20.tar.bz2
This checks whether the signature file matches the source file.
You should see a message indicating that the signature is good and
made by one or more of the release signing keys. Make sure that
this is a valid key, either by matching the shown fingerprint
against a trustworthy list of valid release signing keys or by
checking that the key has been signed by trustworthy other keys.
See below for information on the signing keys.
* If you are not able to use an existing version of GnuPG, you have
to verify the SHA-1 checksum. On Unix systems the command to do
this is either "sha1sum" or "shasum". Assuming you downloaded the
file gnupg-1.4.20.tar.bz2, you would run the command like this:
sha1sum gnupg-1.4.20.tar.bz2
and check that the output matches the first line from the
following list:
cbc9d960e3d8488c32675019a79fbfbf8680387e gnupg-1.4.20.tar.bz2
359e464bcabbe370696e3dba45a1d63968c06ab3 gnupg-1.4.20.tar.gz
8f0c4760c9f38102f64a156744ec8a428298b92d gnupg-w32cli-1.4.20.exe
Release Signing Keys
====================
To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarballs and
binary versions. The keys are also signed by the long term keys of
their respective owners. Current releases are signed by one or more
of these four keys:
2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31]
Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6
Werner Koch (dist sig)
rsa2048/E0856959 2014-10-29 [expires: 2019-12-31]
Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959
David Shaw (GnuPG Release Signing Key)
rsa2048/33BD3F06 2014-10-29 [expires: 2016-10-28]
Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06
NIIBE Yutaka (GnuPG Release Key)
rsa2048/7EFD60D9 2014-10-19 [expires: 2020-12-31]
Key fingerprint = D238 EA65 D64C 67ED 4C30 73F2 8A86 1B1C 7EFD 60D9
Werner Koch (Release Signing Key)
You may retrieve these files from the keyservers using this command
gpg --recv-keys 249B39D24F25E3B6 04376F3EE0856959 \
2071B08A33BD3F06 8A861B1C7EFD60D9
The keys are also available at https://gnupg.org/signature_key.html .
Note that this mail has been signed using my standard PGP key.
Support
========
Please consult the archive of the gnupg-users mailing list before
reporting a bug .
We suggest to send bug reports for a new release to this list in favor
of filing a bug at . For commercial support
requests we keep a list of known service companies at:
https://gnupg.org/service.html
If you are a developer and you need a certain feature for your project,
please do not hesitate to bring it to the gnupg-devel mailing list for
discussion.
Maintenance and development of GnuPG is mostly financed by donations.
As of today we employ 3 full-time developers, one part-timer, and one
contractor. They all work on GnuPG and closely related software like
Enigmail. Please see
https://gnupg.org/donate/
on how you can help.
Thanks
======
We have to thank all the people who helped with this release, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word, answering questions on the mailing
lists, and donating money.
For the GnuPG hackers,
Werner
p.s.
This is an announcement only mailing list. Please send replies only to
the gnupg-users at gnupg.org mailing list.
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 180 bytes
Desc: not available
URL:
-------------- next part --------------
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce
From samir at samirnassar.com Sun Dec 20 21:50:09 2015
From: samir at samirnassar.com (Samir Nassar)
Date: Sun, 20 Dec 2015 21:50:09 +0100
Subject: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta...
In-Reply-To: <000601d13b0b$16f72630$44e57290$@on.yourweb.de>
References: <000601d13b0b$16f72630$44e57290$@on.yourweb.de>
Message-ID: <1545089.7T55mq9Y1A@lathe>
On Sunday 20 December 2015 10:44:58 gnupgpacker wrote:
> But if using GPGrelay 0.9.6, while starting it displays attached error
> message. There seems to be a different key storing location or key format
> between 1.4x and 2.1x versions, isn't it?
This is not about the key format.
It appears that GPGRelay uses the GPG public keyring directly. They keyring
format changed from 1.4 to 2.1.
> How to supply keys for GPGrelay in 1.4x format? Is there any way to export
> it from Kleopatra? Correct location?
I suggest filing a bug with the GPGRelay project to support newer versions of
GnuPG.
--
Samir Nassar
samir at samirnassar.com
https://samirnassar.com
From gnupgpacker at on.yourweb.de Mon Dec 21 11:33:25 2015
From: gnupgpacker at on.yourweb.de (gnupgpacker)
Date: Mon, 21 Dec 2015 11:33:25 +0100
Subject: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta...
Message-ID: <004301d13bdb$060a9b10$121fd130$@on.yourweb.de>
Thanks for answer. It seems GPGrelay is not longer maintained by its
developers but is still working with a charme if gpg.exe 1.4x is used.
So, how to work around and supply keys to GPGrelay even if using gpg version
2 and up?
Regards, Chris
http://sites.inka.de/tesla/gpgrelay.html
http://is.gd/c4duwS (Sourceforge)
From peter at digitalbrains.com Mon Dec 21 11:43:33 2015
From: peter at digitalbrains.com (Peter Lebbing)
Date: Mon, 21 Dec 2015 11:43:33 +0100
Subject: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta...
In-Reply-To: <004301d13bdb$060a9b10$121fd130$@on.yourweb.de>
References: <004301d13bdb$060a9b10$121fd130$@on.yourweb.de>
Message-ID: <5677D7D5.4010205@digitalbrains.com>
On 21/12/15 11:33, gnupgpacker wrote:
> So, how to work around and supply keys to GPGrelay even if using gpg version
> 2 and up?
Install GnuPG 1.4 alongside 2.1 and manually sync all keys from GnuPG
2.1 to 1.4, with for instance:
$ gpg2 --export | gpg --import
I'm not sure how large the overhead is when you sync all keys everytime
you get a new key... GnuPG will figure out that it already has the keys,
but it will inspect all signatures to see if it already has them and
stuff like that, so it might have quite some overhead that way. The
obvious alternative is to import with both GnuPG versions every time you
import a new key.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
From gnupgpacker at on.yourweb.de Mon Dec 21 11:53:13 2015
From: gnupgpacker at on.yourweb.de (gnupgpacker)
Date: Mon, 21 Dec 2015 11:53:13 +0100
Subject: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta...
Message-ID: <004a01d13bdd$ca44e920$5ecebb60$@on.yourweb.de>
Thanks for hint, that would be a distress way.
But it seems to be limited to v1.4x supported keys only.
What will happen, if v1.4x tries to import gpg-2.x keys with elevated
features?
Regards, Chris
From perillamint at gentoo.moe Mon Dec 21 10:28:47 2015
From: perillamint at gentoo.moe (perillamint)
Date: Mon, 21 Dec 2015 18:28:47 +0900
Subject: gpgkey2ssh and Ed25519 key
Message-ID: <5677C64F.1090609@gentoo.moe>
Hello,
I'm having trouble setting up ssh auth using Ed25519 key.
I tries to convert it using gpgkey2ssh and it returns
Unsupported algorithm: 22
Is there any version of gpgkey2ssh or other tool which allows converting
ed25519 pubkey for ssh use?
From neal at walfield.org Mon Dec 21 15:12:23 2015
From: neal at walfield.org (Neal H. Walfield)
Date: Mon, 21 Dec 2015 15:12:23 +0100
Subject: gpgkey2ssh and Ed25519 key
In-Reply-To: <5677C64F.1090609@gentoo.moe>
References: <5677C64F.1090609@gentoo.moe>
Message-ID: <87si2vyjp4.wl-neal@walfield.org>
Hi,
On Mon, 21 Dec 2015 10:28:47 +0100,
perillamint wrote:
> I'm having trouble setting up ssh auth using Ed25519 key.
>
> I tries to convert it using gpgkey2ssh and it returns
>
> Unsupported algorithm: 22
>
> Is there any version of gpgkey2ssh or other tool which allows converting
> ed25519 pubkey for ssh use?
gpgkey2ssh has been decprecated for a while. In fact, it was only
intended as a debugging aid. (See
https://bugs.gnupg.org/gnupg/issue1610)
Thanks,
:) Neal
From samir at samirnassar.com Mon Dec 21 17:08:12 2015
From: samir at samirnassar.com (Samir Nassar)
Date: Mon, 21 Dec 2015 17:08:12 +0100
Subject: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta...
In-Reply-To: <004a01d13bdd$ca44e920$5ecebb60$@on.yourweb.de>
References: <004a01d13bdd$ca44e920$5ecebb60$@on.yourweb.de>
Message-ID: <1710583.aL8eVhATi7@lathe>
On Monday 21 December 2015 11:53:13 gnupgpacker wrote:
> Thanks for hint, that would be a distress way.
> But it seems to be limited to v1.4x supported keys only.
> What will happen, if v1.4x tries to import gpg-2.x keys with elevated
> features?
The features are part of GnuPG 2.x and not part of the keys themselves. YOu
can import and export OpenPGP keys freely between Gnupg 1.4 and 2.x and 2.1.
The only thing you cannot do is freely re-use the keystore.
--
Samir Nassar
samir at samirnassar.com
https://samirnassar.com
From gniibe at fsij.org Tue Dec 22 01:06:18 2015
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Tue, 22 Dec 2015 00:06:18 +0000
Subject: gpgkey2ssh and Ed25519 key
In-Reply-To: <5677C64F.1090609@gentoo.moe>
References: <5677C64F.1090609@gentoo.moe>
Message-ID: <567893FA.7040105@fsij.org>
On 12/21/2015 09:28 AM, perillamint wrote:
> I'm having trouble setting up ssh auth using Ed25519 key.
When you configure your gpg-agent properly (for your key), you can use
the SSH tool of ssh-add with option -L to show your public key in SSH
format.
Thank you for using new feature. I know that gpgkey2ssh is still
useful in some cases, but I think that you don't need it because we
can use 'ssh-add -L'.
Here is an example session to configure GnuPG for Ed25519 key. In
this example, I'm adding an authentication subkey for me. Here we go.
I invoke gpg 2.1.x with --edit-key option specifying my name.
An option of --expert is required for Ed25519 key, since it's
not yet in the OpenPGP standard.
$ gpg2 --expert --edit-key gniibe
gpg (GnuPG) 2.1.10; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa2048/4CA7BABE
created: 2010-10-15 expires: never usage: SC
card-no: F517 00000001
trust: ultimate validity: ultimate
ssb rsa2048/084239CF
created: 2010-10-15 expires: never usage: E
card-no: F517 00000001
ssb rsa2048/5BB065DC
created: 2010-10-22 expires: never usage: A
card-no: F517 00000001
[ultimate] (1). NIIBE Yutaka
[ultimate] (2) NIIBE Yutaka
These are my keys (on smartcard, in this case). I'm adding a subkey
of Ed25519 by the subcommand of "addkey".
gpg> addkey
Secret parts of primary key are stored on-card.
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
Your selection? 11
I select "(11) ECC (set your own capabilities)" for authentication
key. Then, put the capability of "Authenticate"...
Possible actions for a ECDSA key: Sign Authenticate
Current allowed actions: Sign
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? s
Removed "Sign" capability, by typing "s" and RETURN.
Possible actions for a ECDSA key: Sign Authenticate
Current allowed actions:
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? a
Added "Authenticate" capability, by typing "a" and RETURN.
Possible actions for a ECDSA key: Sign Authenticate
Current allowed actions: Authenticate
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? q
Done (by typing "q" and RETURN). Then, selection of the Curve...
Please select which elliptic curve you want:
(1) Curve 25519
(2) NIST P-256
(3) NIST P-384
(4) NIST P-521
(5) Brainpool P-256
(6) Brainpool P-384
(7) Brainpool P-512
Your selection? 1
I selected "(1) Curve 25519" by typing "1" and RETURN. The name would
be confusing, but this is the curve for Ed25519.
gpg: WARNING: Curve25519 is not yet part of the OpenPGP standard.
Use this curve anyway? (y/N) y
Yup, we know. Confirmed by typing "y" and RETURN.
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
Answered "y", more times. Then, I was asked for passphrase (two
times, not shown). I inputted it by pinentry.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec rsa2048/4CA7BABE
created: 2010-10-15 expires: never usage: SC
card-no: F517 00000001
trust: ultimate validity: ultimate
ssb rsa2048/084239CF
created: 2010-10-15 expires: never usage: E
card-no: F517 00000001
ssb rsa2048/5BB065DC
created: 2010-10-22 expires: never usage: A
card-no: F517 00000001
ssb ed25519/9E350F4D
created: 2015-12-21 expires: never usage: A
[ultimate] (1). NIIBE Yutaka
[ultimate] (2) NIIBE Yutaka
OK, I have the subkey of ed25519/9E350F4D. Good.
gpg> save
Saved. We need the keygrip of this subkey to configure gpg-agent for
the SSH key. I invoke the gpg to see the keygrip:
$ gpg2 --with-keygrip --list-keys gniibe
pub rsa2048/4CA7BABE 2010-10-15
Keygrip = 101DE7B639FE29F4636BDEECF442A9273AFA6565
uid [ultimate] NIIBE Yutaka
uid [ultimate] NIIBE Yutaka
sub rsa2048/084239CF 2010-10-15
Keygrip = 65F67E742101C7FE6D5B33FCEFCF4F65EAF0688C
sub rsa2048/5BB065DC 2010-10-22
Keygrip = 5D6C89682D07CCFC034AF508420BF2276D8018ED
sub ed25519/9E350F4D 2015-12-21
Keygrip = 308EB1096486CF3694380875EDC4C2C9973CB000
OK, the keygrip for ed25519/9E350F4D (my Ed25519 key) is:
308EB1096486CF3694380875EDC4C2C9973CB000
I put it in ~/.gnupg/sshcontrol. If done by command-line, it would be:
$ echo 308EB1096486CF3694380875EDC4C2C9973CB000 >> ~/.gnupg/sshcontrol
Well, I did edit the file by Emacs, though. Then, invoke
gpg-connect-agent to reload the file (of sshcontrol).
$ gpg-connect-agent RELOADAGENT /bye
OK
Let's see if gpg-agent knows the new key. I invoke ssh-add -L:
$ ssh-add -L
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQC/XqCK831odBl7Po174AExdRlOcyNSCKfJR18Mrxi8LnKwyjDgGH7Z29Qm4XyZvnLkJvSLcYiSx46iDMWbIYH7w1Or57kp/sUzdlj6clmlV8zklVthppYWpFd+x6Qif9CndRKcPr9S1+tbAIlU5k42RG90XnhEQF1/V3MR01mG0Ey9xBAIoHizZKX5XAjPheVGdDyZERB7Zry3e8kDrU+OjsVTjzq7oXtCE7EwI5c+pBQdF8qfXZC35nAizu0oqQEBne5MsF9ZIBaY/D+hhXVV51oyyCEwNGTr8Ol6KXKK7MWhf16gd0zjulwvO9xH88Q0n1eYur3plH+BZVjXOQPr
cardno:F51700000001
ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIL3u/YlGa9VfB/QdWCv8hOTonLpEoKoci2pCm/uI/XT7 (none)
OK, it is registered now (along with my old RSA key). We can see that
it's shorter than the one of RSA.
I'm putting this new key to my remote host where I already have my RSA
public key.
$ ssh-copy-id MY-REMOTE-HOST
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new
key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if
you are prompted now it is to install the new keys
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '******.****.***'"
and check to make sure that only the key(s) you wanted were added.
OK, done. My public key of ed25519/9E350F4D is registered onto the
~/.ssh/authorized_key of the remote machine. I'm login-ing into the
machine to confirm my new key really works (removing my token which
has RSA keys)...
gniibe at OrangePI:~$
Yes, I'm using Orange Pi PC these days.
--
From guru at unixarea.de Tue Dec 22 13:28:28 2015
From: guru at unixarea.de (Matthias Apitz)
Date: Tue, 22 Dec 2015 13:28:28 +0100
Subject: pubring.kbx, no secring?
Message-ID: <20151222122828.GA3916@c720-r285885-amd64>
Hello,
I was using GnuPG v1.x mostly to cipher some private files, i.e. not for
mail and information exchange with other. I will now create a new key to use
this for mail and move to GnuPG v2.x. I have a short question. I created
(until now for test) the key like this:
$ gpg2 --version
gpg (GnuPG) 2.1.6
libgcrypt 1.6.3
...
$ gpg2 --full-gen-key
$ gpg2 --armor --output revoke.asc --gen-revoke guru
the list keys show:
$ gpg2 --list-secret-keys
/home/guru/.gnupg/pubring.kbx
^^^^^^^----------------????
-----------------------------
sec dsa2048/FFEE762B922A6CBB 2015-12-22
uid [ultimate] Matthias Apitz (GnuPGv2)
ssb elg2048/6C7E963A56E2D675 2015-12-22
$ gpg2 --list-public-keys
/home/guru/.gnupg/pubring.kbx
-----------------------------
pub dsa2048/FFEE762B922A6CBB 2015-12-22
uid [ultimate] Matthias Apitz (GnuPGv2)
sub elg2048/6C7E963A56E2D675 2015-12-22
and I have the following files:
$ find .gnupg
.gnupg
.gnupg/gpg.conf
.gnupg/trustdb.gpg
.gnupg/pubring.kbx~
.gnupg/private-keys-v1.d
.gnupg/private-keys-v1.d/EF8AE0E0D3D7EBBFA6A0230CD105E0DFC04D9DE1.key
.gnupg/private-keys-v1.d/8FB0DD8249EC4A24E2A73B4721098FCDE815FEBB.key
.gnupg/pubring.kbx
.gnupg/openpgp-revocs.d
.gnupg/openpgp-revocs.d/812E69DC246DB739AE84473BFFEE762B922A6CBB.rev
.gnupg/S.gpg-agent
.gnupg/revoke.asc
Question: Why I do not have a file .gnupg/secring.kbx (as I have had
with v1.x)? And, why are the keys stored in .gnupg/private-keys-v1.d?
Thanks
matthias
--
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045
From neal at walfield.org Tue Dec 22 14:41:24 2015
From: neal at walfield.org (Neal H. Walfield)
Date: Tue, 22 Dec 2015 14:41:24 +0100
Subject: pubring.kbx, no secring?
In-Reply-To: <20151222122828.GA3916@c720-r285885-amd64>
References: <20151222122828.GA3916@c720-r285885-amd64>
Message-ID: <87r3iey517.wl-neal@walfield.org>
Hi Matthias,
On Tue, 22 Dec 2015 13:28:28 +0100,
Matthias Apitz wrote:
> Question: Why I do not have a file .gnupg/secring.kbx (as I have had
> with v1.x)? And, why are the keys stored in .gnupg/private-keys-v1.d?
The short answer is that we are using a new format.
Note: GnuPG 2 will automatically migrate keys from secring.kbx to
.gnupg/private-keys-v1.d the first time it is run.
:) Neal
From guru at unixarea.de Tue Dec 22 14:45:59 2015
From: guru at unixarea.de (Matthias Apitz)
Date: Tue, 22 Dec 2015 14:45:59 +0100
Subject: pubring.kbx, no secring?
In-Reply-To: <87r3iey517.wl-neal@walfield.org>
References: <20151222122828.GA3916@c720-r285885-amd64>
<87r3iey517.wl-neal@walfield.org>
Message-ID: <20151222134559.GA4298@c720-r285885-amd64>
El d?a Tuesday, December 22, 2015 a las 02:41:24PM +0100, Neal H. Walfield escribi?:
> Hi Matthias,
>
> On Tue, 22 Dec 2015 13:28:28 +0100,
> Matthias Apitz wrote:
> > Question: Why I do not have a file .gnupg/secring.kbx (as I have had
> > with v1.x)? And, why are the keys stored in .gnupg/private-keys-v1.d?
>
> The short answer is that we are using a new format.
>
> Note: GnuPG 2 will automatically migrate keys from secring.kbx to
> .gnupg/private-keys-v1.d the first time it is run.
Hi Neal,
Just to make sure: there have been no v1.x keys (I move away the old
.gnupg dir), why are the new v2 keys in a dir named .gnupg/private-keys-v1.d?
Thx
matthias
--
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045
From neal at walfield.org Tue Dec 22 15:03:39 2015
From: neal at walfield.org (Neal H. Walfield)
Date: Tue, 22 Dec 2015 15:03:39 +0100
Subject: pubring.kbx, no secring?
In-Reply-To: <20151222134559.GA4298@c720-r285885-amd64>
References: <20151222122828.GA3916@c720-r285885-amd64>
<87r3iey517.wl-neal@walfield.org>
<20151222134559.GA4298@c720-r285885-amd64>
Message-ID: <87poxyy404.wl-neal@walfield.org>
On Tue, 22 Dec 2015 14:45:59 +0100,
Matthias Apitz wrote:
> El d?a Tuesday, December 22, 2015 a las 02:41:24PM +0100, Neal H. Walfield escribi?:
>
> > Hi Matthias,
> >
> > On Tue, 22 Dec 2015 13:28:28 +0100,
> > Matthias Apitz wrote:
> > > Question: Why I do not have a file .gnupg/secring.kbx (as I have had
> > > with v1.x)? And, why are the keys stored in .gnupg/private-keys-v1.d?
> >
> > The short answer is that we are using a new format.
> >
> > Note: GnuPG 2 will automatically migrate keys from secring.kbx to
> > .gnupg/private-keys-v1.d the first time it is run.
>
> Hi Neal,
>
> Just to make sure: there have been no v1.x keys (I move away the old
> .gnupg dir), why are the new v2 keys in a dir named .gnupg/private-keys-v1.d?
I don't really understand your question, but I'll try to answer what I
think you are asking:
secring is the old format; private-keys-v1.d is the new format. GnuPG
1 doesn't know about the new format; GnuPG 2 only uses the new format,
but the first time it is run it will migrate any existing keys from
the old format to the new format.
:) Neal
From guru at unixarea.de Tue Dec 22 15:08:46 2015
From: guru at unixarea.de (Matthias Apitz)
Date: Tue, 22 Dec 2015 15:08:46 +0100
Subject: pubring.kbx, no secring?
In-Reply-To: <87poxyy404.wl-neal@walfield.org>
References: <20151222122828.GA3916@c720-r285885-amd64>
<87r3iey517.wl-neal@walfield.org>
<20151222134559.GA4298@c720-r285885-amd64>
<87poxyy404.wl-neal@walfield.org>
Message-ID: <20151222140846.GA4432@c720-r285885-amd64>
El d?a Tuesday, December 22, 2015 a las 03:03:39PM +0100, Neal H. Walfield escribi?:
> > Just to make sure: there have been no v1.x keys (I move away the old
> > .gnupg dir), why are the new v2 keys in a dir named .gnupg/private-keys-v1.d?
>
> I don't really understand your question, but I'll try to answer what I
> think you are asking:
>
> secring is the old format; private-keys-v1.d is the new format. GnuPG
> 1 doesn't know about the new format; GnuPG 2 only uses the new format,
> but the first time it is run it will migrate any existing keys from
> the old format to the new format.
I understand the migration of the old v1 keys to a new form/directory; but
why the new keys of v2 are stored in a dir private-keys-v1.d and not in
a dir for example private-keys-v2.d; don't you think that such name *v1.d* confuses
people (like me)?
matthias
--
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045
From neal at walfield.org Tue Dec 22 15:22:42 2015
From: neal at walfield.org (Neal H. Walfield)
Date: Tue, 22 Dec 2015 15:22:42 +0100
Subject: pubring.kbx, no secring?
In-Reply-To: <20151222140846.GA4432@c720-r285885-amd64>
References: <20151222122828.GA3916@c720-r285885-amd64>
<87r3iey517.wl-neal@walfield.org>
<20151222134559.GA4298@c720-r285885-amd64>
<87poxyy404.wl-neal@walfield.org>
<20151222140846.GA4432@c720-r285885-amd64>
Message-ID: <87oadiy34d.wl-neal@walfield.org>
On Tue, 22 Dec 2015 15:08:46 +0100,
Matthias Apitz wrote:
>
> El d?a Tuesday, December 22, 2015 a las 03:03:39PM +0100, Neal H. Walfield escribi?:
>
> > > Just to make sure: there have been no v1.x keys (I move away the old
> > > .gnupg dir), why are the new v2 keys in a dir named .gnupg/private-keys-v1.d?
> >
> > I don't really understand your question, but I'll try to answer what I
> > think you are asking:
> >
> > secring is the old format; private-keys-v1.d is the new format. GnuPG
> > 1 doesn't know about the new format; GnuPG 2 only uses the new format,
> > but the first time it is run it will migrate any existing keys from
> > the old format to the new format.
>
> I understand the migration of the old v1 keys to a new form/directory; but
> why the new keys of v2 are stored in a dir private-keys-v1.d and not in
> a dir for example private-keys-v2.d; don't you think that such name *v1.d* confuses
> people (like me)?
v1 is the version of the format, which is independent of GnuPG's
format. I can see how it would be confusing, sorry about that.
:) Neal
From wk at gnupg.org Tue Dec 22 16:26:48 2015
From: wk at gnupg.org (Werner Koch)
Date: Tue, 22 Dec 2015 16:26:48 +0100
Subject: pubring.kbx, no secring?
In-Reply-To: <20151222140846.GA4432@c720-r285885-amd64> (Matthias Apitz's
message of "Tue, 22 Dec 2015 15:08:46 +0100")
References: <20151222122828.GA3916@c720-r285885-amd64>
<87r3iey517.wl-neal@walfield.org>
<20151222134559.GA4298@c720-r285885-amd64>
<87poxyy404.wl-neal@walfield.org>
<20151222140846.GA4432@c720-r285885-amd64>
Message-ID: <87zix2sdvr.fsf@vigenere.g10code.de>
On Tue, 22 Dec 2015 15:08, guru at unixarea.de said:
> why the new keys of v2 are stored in a dir private-keys-v1.d and not in
> a dir for example private-keys-v2.d; don't you think that such name *v1.d* confuses
> people (like me)?
You are the first one to comment on this ;-) The new format is actually
much older than gnupg 2.1. We use it since about 2003, albeit then only
for gpgsm (X.509, S/MIME).
Note also that there are actually two changes: private-keys-v1.d/
replaces the secring.gpg and pubring.kbx replaces pubring.gpg. However,
we still support the old pubring.gpg format and only create the new
pubring.kbx format if no pubring.gpg exists.
To make things more complicate, pubring.kbx is used by gpg 2.1 only iff
has been created by gpg or if an OpenPGP key has been inserted. Thus
for public keys there are theses cases:
- Only pubring.kbx: Used by gpgsm and gpg for all keys.
- Only pubring.gpg: Used by gpg; if gpgsm creates or imports the first
X.509 certificate that will be stored in a newly created pubring.kbx.
- pubring.kbx and pubring.gpg but no OpenPGP key in pubring.kbx: The
first is used by gpgsm and the latter by gpg.
- pubring.kbx and pubring.gpg but with OpenPGP key in pubring.kbx:
Only pubring.kbx is used by both, gpg and gpgsm.
Now, how can you know whether gpg uses pubring.kbx? There are three
ways: The first is to use -v with a key listing and gpg prints the name
of the key database. The seconds is
$ kbxutil --stats ~/.gnupg/pubring.kbx
Total number of blobs: 30
header: 1
empty: 0
openpgp: 5
x509: 3
non flagged: 8
secret flagged: 0
ephemeral flagged: 0
which shows that there are OpenPGP keys, and the third is
$ kbxutil ~/.gnupg/pubring.kbx | head | grep Flags
Flags: 0002 (openpgp)
The flag shows that the pubring.kbx is used for OpenPGP keys. This is
actually how gpg decides whether to use pubring.kbx.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From guru at unixarea.de Wed Dec 23 09:23:12 2015
From: guru at unixarea.de (Matthias Apitz)
Date: Wed, 23 Dec 2015 09:23:12 +0100
Subject: keysearch fails
Message-ID: <20151223082312.GA2833@c720-r285885-amd64>
Hello,
I can not manage to get a keysearch via dirmngr to work; when I use:
$ gpg2 --keyserver pool.sks-keyservers.net --debug 1024 --search xxxx at FreeBSD.org
gpg: reading options from '/home/guru/.gnupg/gpg.conf'
gpg: enabled debug flags: ipc
gpg: DBG: chan_3 KEYSERVER --clear hkp://pool.sks-keyservers.net
gpg: DBG: chan_3 KS_SEARCH -- xxxx at FreeBSD.org
gpg: DBG: chan_3 BYE
gpg: secmem usage: 0/32768 bytes in 0 blocks
In /var/log/message I see:
Dec 23 09:15:09 c720-r285885-amd64 kernel: pid 2809 (dirmngr), uid 1001: exited on signal 6
which perhaps is normal (soemhow the spawned proc must be killed); but a
TCPDUMP only shows a lot of PTR requests, see below. No real traffic is
to be seen to no server.
What I do miss here?
matthias
09:15:57.465887 IP 10.42.0.152.26961 > 10.42.0.1.53: 57200+ A? pool.sks-keyservers.net. (41)
09:15:57.698231 IP 10.42.0.1.53 > 10.42.0.152.26961: 57200 10/0/0 A 176.9.51.79, A 193.224.163.43, A 207.237.164.231, A 193.17.17.6, A 85.93.13.183, A 104.236.44.212, A 46.229.47.139, A 223.252.21.101, A 192.71.151.126, A 144.76.120.109 (201)
09:15:57.698443 IP 10.42.0.152.15292 > 10.42.0.1.53: 44337+ AAAA? pool.sks-keyservers.net. (41)
09:15:58.136982 IP 10.42.0.1.53 > 10.42.0.152.15292: 44337 10/0/0 AAAA 2604:a880:800:10::60d:b001, AAAA 2a03:4000:6:202e::1, AAAA 2a01:7a0:1::6, AAAA 2001:470:1f09:1d75::80, AAAA 2a01:4f8:a0:4024::2:0, AAAA 2a01:4f8:150:7142::2, AAAA 2001:41d0:2:a8b4::10, AAAA 2a02:168:4a01::37, AAAA 2604:a880:800:10::688:e001, AAAA 2001:6f8:124e::1 (321)
09:15:58.138270 IP 10.42.0.152.57903 > 10.42.0.1.53: 3651+ PTR? 212.44.236.104.in-addr.arpa. (45)
09:15:58.139749 IP 10.42.0.1.53 > 10.42.0.152.57903: 3651 1/0/0 PTR openpgp.us. (69)
09:15:58.140405 IP 10.42.0.152.49791 > 10.42.0.1.53: 29976+ PTR? 126.151.71.192.in-addr.arpa. (45)
09:15:58.142479 IP 10.42.0.1.53 > 10.42.0.152.49791: 29976 1/0/0 PTR mimir.alderwick.co.uk. (80)
09:15:58.142854 IP 10.42.0.152.20861 > 10.42.0.1.53: 61059+ PTR? 101.21.252.223.in-addr.arpa. (45)
09:15:58.144671 IP 10.42.0.1.53 > 10.42.0.152.20861: 61059 1/0/0 PTR svcs4.riverwillow.net.au. (83)
09:15:58.145031 IP 10.42.0.152.51574 > 10.42.0.1.53: 21456+ PTR? 139.47.229.46.in-addr.arpa. (44)
09:15:58.146670 IP 10.42.0.1.53 > 10.42.0.152.51574: 21456 1/0/0 PTR jarvis.alpha-labs.net. (79)
09:15:58.147016 IP 10.42.0.152.24483 > 10.42.0.1.53: 11392+ PTR? 79.51.9.176.in-addr.arpa. (42)
09:15:58.149302 IP 10.42.0.1.53 > 10.42.0.152.24483: 11392 1/0/0 PTR alita.karotte.org. (73)
09:15:58.149639 IP 10.42.0.152.45716 > 10.42.0.1.53: 51515+ PTR? 183.13.93.85.in-addr.arpa. (43)
09:15:58.150581 IP 10.42.0.1.53 > 10.42.0.152.45716: 51515 1/0/0 PTR host10.slyinvestment.com. (81)
09:15:58.151058 IP 10.42.0.152.31608 > 10.42.0.1.53: 34134+ PTR? 6.17.17.193.in-addr.arpa. (42)
09:15:58.153963 IP 10.42.0.1.53 > 10.42.0.152.31608: 34134 1/0/0 PTR key.ip6.li. (66)
09:15:58.154314 IP 10.42.0.152.37867 > 10.42.0.1.53: 56496+ PTR? 231.164.237.207.in-addr.arpa. (46)
09:15:58.156621 IP 10.42.0.1.53 > 10.42.0.152.37867: 56496 1/0/0 PTR keys.sflc.info. (74)
09:15:58.156959 IP 10.42.0.152.20412 > 10.42.0.1.53: 34648+ PTR? 43.163.224.193.in-addr.arpa. (45)
09:15:58.158943 IP 10.42.0.1.53 > 10.42.0.152.20412: 34648 1/0/0 PTR hufu.ki.iif.hu. (73)
09:15:58.159277 IP 10.42.0.152.46457 > 10.42.0.1.53: 32569+ PTR? 109.120.76.144.in-addr.arpa. (45)
09:15:58.161678 IP 10.42.0.1.53 > 10.42.0.152.46457: 32569 1/0/0 PTR encrypt.to. (69)
09:15:58.162290 IP 10.42.0.152.58716 > 10.42.0.1.53: 61479+ PTR? 0.0.0.0.2.0.0.0.0.0.0.0.0.0.0.0.4.2.0.4.0.a.0.0.8.f.4.0.1.0.a.2.ip6.arpa. (90)
09:15:58.163688 IP 10.42.0.1.53 > 10.42.0.152.58716: 61479 1/0/0 PTR a.keyserver.pki.scientia.net. (132)
09:15:58.164128 IP 10.42.0.152.32231 > 10.42.0.1.53: 26254+ PTR? 1.0.0.e.8.8.6.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.8.0.0.8.8.a.4.0.6.2.ip6.arpa. (90)
09:15:58.166679 IP 10.42.0.1.53 > 10.42.0.152.32231: 26254 0/0/0 (90)
09:15:58.167037 IP 10.42.0.152.15342 > 10.42.0.1.53: 14504+ PTR? 7.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.a.4.8.6.1.0.2.0.a.2.ip6.arpa. (90)
09:15:58.168514 IP 10.42.0.1.53 > 10.42.0.152.15342: 14504 1/0/0 PTR pgpkeys.urown.net. (121)
09:15:58.168872 IP 10.42.0.152.49875 > 10.42.0.1.53: 39926+ PTR? 0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.b.8.a.2.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa. (90)
09:15:58.170820 IP 10.42.0.1.53 > 10.42.0.152.49875: 39926 NXDomain 0/0/0 (90)
09:15:58.171163 IP 10.42.0.152.32030 > 10.42.0.1.53: 45608+ PTR? 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.4.1.7.0.5.1.0.8.f.4.0.1.0.a.2.ip6.arpa. (90)
09:15:58.173415 IP 10.42.0.1.53 > 10.42.0.152.32030: 45608 1/0/0 PTR alita.karotte.org. (121)
09:15:58.173779 IP 10.42.0.152.48813 > 10.42.0.1.53: 38867+ PTR? 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.e.4.2.1.8.f.6.0.1.0.0.2.ip6.arpa. (90)
09:15:59.037424 IP 10.42.0.1.53 > 10.42.0.152.48813: 38867 FormErr 0/0/0 (90)
09:15:59.037986 IP 10.42.0.152.57139 > 10.42.0.1.53: 19220+ PTR? 0.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.d.1.9.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. (90)
09:15:59.043902 IP 10.42.0.1.53 > 10.42.0.152.57139: 19220 NXDomain 0/0/0 (90)
09:15:59.044301 IP 10.42.0.152.52403 > 10.42.0.1.53: 1040+ PTR? 6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.a.7.0.1.0.a.2.ip6.arpa. (90)
09:15:59.053424 IP 10.42.0.1.53 > 10.42.0.152.52403: 1040 1/0/0 PTR key.ip6.li. (114)
09:15:59.053950 IP 10.42.0.152.25246 > 10.42.0.1.53: 33858+ PTR? 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.e.2.0.2.6.0.0.0.0.0.0.4.3.0.a.2.ip6.arpa. (90)
09:15:59.056508 IP 10.42.0.1.53 > 10.42.0.152.25246: 33858 1/0/0 PTR metalgamer.eu. (117)
09:15:59.057051 IP 10.42.0.152.28425 > 10.42.0.1.53: 31847+ PTR? 1.0.0.b.d.0.6.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.8.0.0.8.8.a.4.0.6.2.ip6.arpa. (90)
09:15:59.058008 IP 10.42.0.1.53 > 10.42.0.152.28425: 31847 1/0/0 PTR openpgp.us. (114)
--
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045
From mailinglists at vanwingerde.net Wed Dec 23 00:00:29 2015
From: mailinglists at vanwingerde.net (Jaap van Wingerde)
Date: Tue, 22 Dec 2015 23:00:29 +0000
Subject: Problems with ESTEID and gpgsm
Message-ID: <20151222230029.0c38449c@jaap.custard.shrl.nl>
How can I solve them?
jaap at jaap:~$ gpgsm --help
gpgsm (GnuPG) 2.0.26
libgcrypt 1.6.3
libksba 1.3.2-unknown
...
jaap at jaap:~$
jaap at jaap:~$ /usr/bin/gpgsm -vvvvs txt.txt
gpgsm: enabled debug flags: x509 assuan
gpgsm: no key usage specified - assuming all usages
gpgsm: DBG: get_keygrip for public key
gpgsm: DBG: keygrip= 39 C0 56 38 84 B2 C1 01 B2 0C 59 ED 40 27 B5 01 93
FF F7 72 gpgsm: no running gpg-agent - starting one
gpg-agent[22381]: enabled debug flags: assuan
gpgsm: DBG: connection to agent established
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: DBG: get_keygrip for public key
gpgsm: DBG: keygrip= 31 F0 60 FB CE A5 21 00 E5 68 D2 6C 98 FD ED 9A 12
B1 60 15 gpgsm: certificate is not usable for signing
gpgsm: DBG: get_keygrip for public key
gpgsm: DBG: keygrip= 23 59 EB D7 45 0D 9A 7F F3 25 FD 94 27 7E CC 32 D2
DD 22 53 gpgsm: DBG: get_keygrip for public key
gpgsm: DBG: keygrip= C5 BD 3D 02 E5 E7 6D D2 75 40 C6 62 D0 B7 47 7C 16
92 67 39 gpgsm: no default signer found
gpgsm: error creating signature: General error
secmem usage: 0/16384 bytes in 0 blocks
jaap at jaap:~$
jaap at jaap:~$ /usr/bin/gpgsm --learn-card
gpgsm: enabled debug flags: x509 assuan
gpgsm: no running gpg-agent - starting one
gpg-agent[22386]: enabled debug flags: assuan
gpgsm: DBG: connection to agent established
gnupg-pkcs11-scd[22387.3394275072]: version: 0.7.3
gnupg-pkcs11-scd[22387.3394275072]: config: debug=1, verbose=1
gnupg-pkcs11-scd[22387.3394275072]: config: pin_cache=-1
gnupg-pkcs11-scd[22387.3394275072]: config: provider: name=esteid,
library=/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so,
allow_protected=1, cert_is_private=1, private_mask=00000001
gnupg-pkcs11-scd[22387.3394275072]: run_mode: 2
gnupg-pkcs11-scd[22387.3394275072]: crypto: openssl
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_addProvider entry
version='1.11', pid=22387, reference='esteid',
provider_location='/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so',
allow_protected_auth=1, mask_private_mode=00000001, cert_is_private=1
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Adding provider
'esteid'-'/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_addProvider
Provider 'esteid' manufacturerID 'OpenSC (www.opensc-project.org)'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_notify
entry gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_slotevent_notify return gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: Provider 'esteid' added rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_addProvider return
rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: Listening to socket
'/tmp/gnupg-pkcs11-scd.xWcx6d/agent.S' gnupg-pkcs11-scd[22387]: chan_6
-> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[22387]: chan_6
D /tmp/gnupg-pkcs11-scd.xWcx6d/agent.S gnupg-pkcs11-scd[22387]: chan_6
-> OK gnupg-pkcs11-scd[22387]: chan_6 S SERIALNO
D2760001240111111111111111111111 0 gnupg-pkcs11-scd[22387]: chan_6 ->
OK gnupg-pkcs11-scd[22387]: chan_6 S SERIALNO
D2760001240111111111111111111111 0 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_certificate_enumCertificateIds entry method=1,
mask_prompt=00000003, p_cert_id_issuers_list=0x7ffc1c633f48,
p_cert_id_end_list=0x7ffc1c633f40 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_session_getSlotList entry provider=0xd1f5e0,
token_present=1, pSlotList=0x7ffc1c633e00, pulCount=0x7ffc1c633e08
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=2
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId
entry p_token_id=0x7ffc1c633e18 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffc1c633d70
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId
return rv=0-'CKR_OK', *p_token_id=0xd3f600
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId
return rv=0-'CKR_OK', *p_token_id=0xd3f600
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSessionByTokenId entry token_id=0xd3f600,
p_session=0x7ffc1c633e10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
Creating a new session gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_duplicateTokenId entry to=0xd3ff28 form=0xd3f600
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0xd402f0
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK',
*p_session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_certificate_enumSessionCertificates entry session=0xd3ff10,
user_data=0xd34880, mask_prompt=00000003
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate
entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_validate return rv=179-'CKR_SESSION_HANDLE_INVALID'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Get certificate attributes
failed: 179:'CKR_SESSION_HANDLE_INVALID'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_login
entry session=0xd3ff10, is_publicOnly=1, readonly=1,
user_data=0xd34880, mask_prompt=00000001
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_logout
entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_logout return gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_session_reset entry session=0xd3ff10,
user_data=0xd34880, mask_prompt=00000001, p_slot=0x7ffc1c633858
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_reset
Expected token manufacturerID='AS Sertifitseerimiskeskus'
model='PKCS#15 emulated', serialNumber='N0108352', label='VAN
WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_session_getSlotList entry provider=0xd1f5e0,
token_present=1, pSlotList=0x7ffc1c6336f8, pulCount=0x7ffc1c633700
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=2
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId
entry p_token_id=0x7ffc1c633708 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffc1c633660
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId
return rv=0-'CKR_OK', *p_token_id=0xd40760
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId
return rv=0-'CKR_OK', *p_token_id=0xd40760
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_reset
Found token manufacturerID='AS Sertifitseerimiskeskus' model='PKCS#15
emulated', serialNumber='N0108352', label='VAN
WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd40760
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_reset return rv=0-'CKR_OK', *p_slot=1
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Calling pin_prompt hook
for 'VAN WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387]: chan_6
-> INQUIRE NEEDPIN PIN required for token 'VAN
WINGERDE,JACOB,35402120120 (' (try 0) gnupg-pkcs11-scd[22387]: chan_6
pin_expire_time=0, time=1450824309
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate
return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_findObjects entry session=0xd3ff10,
filter=0x7ffc1c633d10, filter_attrs=1, p_objects=0x7ffc1c633cf0,
p_objects_found=0x7ffc1c633cf8 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK',
*p_objects_found=1 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getObjectAttributes entry session=0xd3ff10,
object=13889536, attrs=0x7ffc1c633d30, count=2
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getObjectAttributes return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_certificate_newCertificateId entry
p_certificate_id=0x7ffc1c633d00 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK',
*p_certificate_id=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_duplicateTokenId entry to=0xd40c70 form=0xd402f0
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0xd410a0
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
__pkcs11h_certificate_updateCertificateIdDescription entry
certificate_id=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
__pkcs11h_certificate_updateCertificateIdDescription return
displayName='/C=EE/O=ESTEID (DIGI-ID
E-RESIDENT)/OU=authentication/CN=VAN WINGERDE,JACOB,35402120120/SN=VAN
WINGERDE/GN=JACOB/serialNumber=35402120120 on VAN
WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_session_freeObjectAttributes entry
attrs=0x7ffc1c633d30, count=2 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_session_freeObjectAttributes return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_certificate_enumSessionCertificates return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release
entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_release return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
entry certificate_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_duplicateCertificateId entry to=0xd3fef8
form=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK',
*to=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
__pkcs11h_certificate_splitCertificateIdList entry
cert_id_all=0xd3fef0, p_cert_id_issuers_list=0x7ffc1c633f48,
p_cert_id_end_list=0x7ffc1c633f40 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0xd3e258
form=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK',
*to=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
__pkcs11h_certificate_splitCertificateIdList return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0xd3fef0
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId entry certificate_id=0xd40760
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
entry certificate_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateIdList return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_enumCertificateIds return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387]: chan_6 -> S APPTYPE PKCS11
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_create
entry certificate_id=0xd41f30, user_data=0xd34880,
mask_prompt=00000003, pin_cache_period=-1, p_certificate=0x7ffc1c633e40
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_duplicateCertificateId entry to=0xd40140
form=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK',
*to=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSessionByTokenId entry token_id=0xd41a20,
p_session=0xd40150 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Using
cached session gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK',
*p_session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_create return rv=0-'CKR_OK' *p_certificate=0xd40140
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_getCertificateBlob entry certificate=0xd40140,
certificate_blob=(nil), *p_certificate_blob_size=0000000000000000
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_getCertificateBlob entry certificate=0xd40140,
certificate_blob=0xd42ce0, *p_certificate_blob_size=0000000000000507
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificate entry certificate=0xd40140
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release
entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_release return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId entry certificate_id=0xd40760
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
entry certificate_id=0xd41a20 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificate return gpgsm: error learning card:
No inquire callback in IPC secmem usage: 0/16384 bytes in 0 blocks
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
__pkcs11h_openssl_ex_data_free entered - parent=0xd44240, ptr=(nil),
ad=0xd442a0, idx=0, argl=0, argp=0x7fb4c91f08e3
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_serializeCertificateId entry sz=(nil),
*max=0000000000000000, certificate_id=0xd41f30
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_serializeTokenId entry sz=(nil), *max=0000000000000000,
token_id=0xd42360 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_serializeTokenId return rv=0-'CKR_OK',
*max=000000000000006d, sz='(null)' gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_certificate_serializeCertificateId return
rv=0-'CKR_OK', *max=0000000000000070, sz='(null)'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_serializeCertificateId entry sz=0xd41ba0,
*max=0000000000000070, certificate_id=0xd41f30
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_serializeTokenId entry sz=0xd41ba0,
*max=0000000000000070, token_id=0xd42360
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_serializeTokenId return rv=0-'CKR_OK',
*max=000000000000006d,
sz='AS\x20Sertifitseerimiskeskus/PKCS\x2315\x20emulated/N0108352/VAN\x20WINGERDE\x2CJACOB\x2C35402120120\x20\x28'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_serializeCertificateId return rv=0-'CKR_OK',
*max=0000000000000070,
sz='AS\x20Sertifitseerimiskeskus/PKCS\x2315\x20emulated/N0108352/VAN\x20WINGERDE\x2CJACOB\x2C35402120120\x20\x28/01'
gnupg-pkcs11-scd[22387]: chan_6 -> S KEY-FRIEDNLY
BEE4963CCC09D0CEE5DE3DEA543EBCBB702664E1 /C=EE/O=ESTEID (DIGI-ID
E-RESIDENT)/OU=authentication/CN=VAN WINGERDE,JACOB,35402120120/SN=VAN
WINGERDE/GN=JACOB/serialNumber=35402120120 on VAN
WINGERDE,JACOB,35402120120 ( gnupg-pkcs11-scd[22387]: chan_6 -> S
KEYPAIRINFO BEE4963CCC09D0CEE5DE3DEA543EBCBB702664E1
AS\x20Sertifitseerimiskeskus/PKCS\x2315\x20emulated/N0108352/VAN\x20WINGERDE\x2CJACOB\x2C35402120120\x20\x28/01
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0xd3e250
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId entry certificate_id=0xd41f30
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
entry certificate_id=0xd42360 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateIdList return
gnupg-pkcs11-scd[22387]: chan_6 -> OK jaap at jaap:~$
gnupg-pkcs11-scd[22387]: chan_6 OK gnupg-pkcs11-scd[22387.3394275072]: assuan_process failed:
Broken pipe gnupg-pkcs11-scd[22387.3357775616]: Cleaning up threads
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_terminate entry
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Terminating openssl
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_openssl_terminate
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Removing providers
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_removeProvider
entry reference='esteid' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
Removing provider 'esteid' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_slotevent_notify entry gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_slotevent_notify return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_removeProvider
return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
Releasing sessions gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_freeTokenId entry certificate_id=0xd402f0
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0xd3fcb0
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId entry certificate_id=0xd40c70
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
entry certificate_id=0xd410a0 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateIdList return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Terminating slotevent
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_slotevent_terminate entry gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_slotevent_terminate return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Marking as uninitialized
^C
jaap at jaap:~$
--
Jaap van Wingerde
e-mail: 1234567890 at vanwingerde.nl
From guru at unixarea.de Wed Dec 23 11:12:30 2015
From: guru at unixarea.de (Matthias Apitz)
Date: Wed, 23 Dec 2015 11:12:30 +0100
Subject: keysearch fails
In-Reply-To: <20151223082312.GA2833@c720-r285885-amd64>
References: <20151223082312.GA2833@c720-r285885-amd64>
Message-ID: <20151223101230.GA7885@c720-r285885-amd64>
El d?a Wednesday, December 23, 2015 a las 09:23:12AM +0100, Matthias Apitz escribi?:
> Hello,
>
> I can not manage to get a keysearch via dirmngr to work; when I use:
>
> $ gpg2 --keyserver pool.sks-keyservers.net --debug 1024 --search xxxx at FreeBSD.org
> gpg: reading options from '/home/guru/.gnupg/gpg.conf'
> gpg: enabled debug flags: ipc
> gpg: DBG: chan_3 gpg: DBG: chan_3 gpg: DBG: chan_3 gpg: DBG: connection to the dirmngr established
> gpg: DBG: chan_3 -> KEYSERVER --clear hkp://pool.sks-keyservers.net
> gpg: DBG: chan_3 gpg: DBG: chan_3 -> KS_SEARCH -- xxxx at FreeBSD.org
> gpg: DBG: chan_3 gpg: error searching keyserver: End of file
> gpg: b?squeda del servidor de claves fallida: End of file
> gpg: DBG: chan_3 -> BYE
> gpg: secmem usage: 0/32768 bytes in 0 blocks
Seems to be a known bug:
$ dirmngr
# Home: ~/.gnupg
# Config: /home/guru/.gnupg/dirmngr.conf
OK Dirmngr 2.1.6 at your service
KEYSERVER hkps://hkps.pool.sks-keyservers.net
OK
KS_SEARCH matthew at FreeBSD.org
Assertion failed: (a >= 0 && a < hosttable_size), function
sort_hostpool, file ks-engine-hkp.c, line 179.
Abort trap (core dumped)
https://bugs.gnupg.org/gnupg/issue2107
--
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045
?(?ber die DDR)... Und allein dieser Mangel (an Sozialismus) und nichts anderes f?hrte zum Tod.
Und wer da nicht trauert, hat kein Herz, und wer da nicht neu anpackt, hat auch keins verdient.?
?(sobre la RDA)... Y solo esta escasez (de socialismo) y no otra cosa, le llev? a la muerte.
Y quien no est? de luto, no tiene coraz?n, y quien no se lanza a luchar de nuevo, no se merece
coraz?n.?, junge Welt del 3 de octubre 2015, p. 11
From wk at gnupg.org Wed Dec 23 12:12:07 2015
From: wk at gnupg.org (Werner Koch)
Date: Wed, 23 Dec 2015 12:12:07 +0100
Subject: keysearch fails
In-Reply-To: <20151223082312.GA2833@c720-r285885-amd64> (Matthias Apitz's
message of "Wed, 23 Dec 2015 09:23:12 +0100")
References: <20151223082312.GA2833@c720-r285885-amd64>
Message-ID: <87fuyts9ko.fsf@vigenere.g10code.de>
On Wed, 23 Dec 2015 09:23, guru at unixarea.de said:
> gpg: DBG: chan_3 Dec 23 09:15:09 c720-r285885-amd64 kernel: pid 2809 (dirmngr), uid 1001: exited on signal 6
Which probably is SIGABRT which in in turn may indicate that an assert()
failed. If this probelm persists with 2.1.10 please rn dirmngr uner a
debugger:
gdb --args dirmngr -v server
Then "run" and enter the commands
KEYSERVER --clear hkp://pool.sks-keyservers.net
and
KS_SEARCH -- xxxx at FreeBSD.org
On the signal you should get back to the debugger prompt and so you can
print a stack backtrace. If it it indeed an assert you may run dirmngr
w/o a debugger and the assert will print the diagnositcs to stderr which
you should be able to see.
> which perhaps is normal (soemhow the spawned proc must be killed); but a
No, dirmngr is started on-the-fly as a daemon. To stop it you either
use "pkill dirmngr" or "gpgconf --kill dirmngr".
> TCPDUMP only shows a lot of PTR requests, see below. No real traffic is
> to be seen to no server.
It is resolving the the pool addreses to select one of the servers.
With 2.1.10 there are two different resolver libraries in use, entering
getinfo dnsinfo
on the "dirmngr --server" prompt shows you which one is used.
To play with dirmngr it is often easier to use
gpg-connect-agent --dimngr -v
which enables you to use readline and some other goodies.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From wk at gnupg.org Wed Dec 23 12:15:31 2015
From: wk at gnupg.org (Werner Koch)
Date: Wed, 23 Dec 2015 12:15:31 +0100
Subject: Problems with ESTEID and gpgsm
In-Reply-To: <20151222230029.0c38449c@jaap.custard.shrl.nl> (Jaap van
Wingerde's message of "Tue, 22 Dec 2015 23:00:29 +0000")
References: <20151222230029.0c38449c@jaap.custard.shrl.nl>
Message-ID: <87bn9hs9f0.fsf@vigenere.g10code.de>
On Wed, 23 Dec 2015 00:00, mailinglists at vanwingerde.net said:
> gnupg-pkcs11-scd[22387.3394275072]: version: 0.7.3
You are using some modified version of GnuPG's scdaemon. Please ask the
author of that version for help. The parts of GnuPG all belong together
and it is in general not a good idea to exchange one of the coomponents.
The APIs used between the GnuPG componentes are not stable between
versions.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From mailinglists at vanwingerde.nl Wed Dec 23 12:23:00 2015
From: mailinglists at vanwingerde.nl (Jaap van Wingerde)
Date: Wed, 23 Dec 2015 11:23:00 +0000
Subject: Problems with ESTEID and gpgsm
Message-ID: <20151223112300.0502bef1@jaap.custard.shrl.nl>
How can I solve them?
jaap at jaap:~$ gpgsm --help
gpgsm (GnuPG) 2.0.26
libgcrypt 1.6.3
libksba 1.3.2-unknown
...
jaap at jaap:~$
jaap at jaap:~$ /usr/bin/gpgsm -vvvvs txt.txt
gpgsm: enabled debug flags: x509 assuan
gpgsm: no key usage specified - assuming all usages
gpgsm: DBG: get_keygrip for public key
gpgsm: DBG: keygrip= 39 C0 56 38 84 B2 C1 01 B2 0C 59 ED 40 27 B5 01 93
FF F7 72 gpgsm: no running gpg-agent - starting one
gpg-agent[22381]: enabled debug flags: assuan
gpgsm: DBG: connection to agent established
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: DBG: get_keygrip for public key
gpgsm: DBG: keygrip= 31 F0 60 FB CE A5 21 00 E5 68 D2 6C 98 FD ED 9A 12
B1 60 15 gpgsm: certificate is not usable for signing
gpgsm: DBG: get_keygrip for public key
gpgsm: DBG: keygrip= 23 59 EB D7 45 0D 9A 7F F3 25 FD 94 27 7E CC 32 D2
DD 22 53 gpgsm: DBG: get_keygrip for public key
gpgsm: DBG: keygrip= C5 BD 3D 02 E5 E7 6D D2 75 40 C6 62 D0 B7 47 7C 16
92 67 39 gpgsm: no default signer found
gpgsm: error creating signature: General error
secmem usage: 0/16384 bytes in 0 blocks
jaap at jaap:~$
jaap at jaap:~$ /usr/bin/gpgsm --learn-card
gpgsm: enabled debug flags: x509 assuan
gpgsm: no running gpg-agent - starting one
gpg-agent[22386]: enabled debug flags: assuan
gpgsm: DBG: connection to agent established
gnupg-pkcs11-scd[22387.3394275072]: version: 0.7.3
gnupg-pkcs11-scd[22387.3394275072]: config: debug=1, verbose=1
gnupg-pkcs11-scd[22387.3394275072]: config: pin_cache=-1
gnupg-pkcs11-scd[22387.3394275072]: config: provider: name=esteid,
library=/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so,
allow_protected=1, cert_is_private=1, private_mask=00000001
gnupg-pkcs11-scd[22387.3394275072]: run_mode: 2
gnupg-pkcs11-scd[22387.3394275072]: crypto: openssl
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_addProvider entry
version='1.11', pid=22387, reference='esteid',
provider_location='/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so',
allow_protected_auth=1, mask_private_mode=00000001, cert_is_private=1
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Adding provider
'esteid'-'/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_addProvider
Provider 'esteid' manufacturerID 'OpenSC (www.opensc-project.org)'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_notify
entry gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_slotevent_notify return gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: Provider 'esteid' added rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_addProvider return
rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: Listening to socket
'/tmp/gnupg-pkcs11-scd.xWcx6d/agent.S' gnupg-pkcs11-scd[22387]: chan_6
-> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[22387]: chan_6
D /tmp/gnupg-pkcs11-scd.xWcx6d/agent.S gnupg-pkcs11-scd[22387]: chan_6
-> OK gnupg-pkcs11-scd[22387]: chan_6 S SERIALNO
D2760001240111111111111111111111 0 gnupg-pkcs11-scd[22387]: chan_6 ->
OK gnupg-pkcs11-scd[22387]: chan_6 S SERIALNO
D2760001240111111111111111111111 0 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_certificate_enumCertificateIds entry method=1,
mask_prompt=00000003, p_cert_id_issuers_list=0x7ffc1c633f48,
p_cert_id_end_list=0x7ffc1c633f40 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_session_getSlotList entry provider=0xd1f5e0,
token_present=1, pSlotList=0x7ffc1c633e00, pulCount=0x7ffc1c633e08
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=2
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId
entry p_token_id=0x7ffc1c633e18 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffc1c633d70
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId
return rv=0-'CKR_OK', *p_token_id=0xd3f600
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId
return rv=0-'CKR_OK', *p_token_id=0xd3f600
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSessionByTokenId entry token_id=0xd3f600,
p_session=0x7ffc1c633e10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
Creating a new session gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_duplicateTokenId entry to=0xd3ff28 form=0xd3f600
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0xd402f0
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK',
*p_session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_certificate_enumSessionCertificates entry session=0xd3ff10,
user_data=0xd34880, mask_prompt=00000003
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate
entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_validate return rv=179-'CKR_SESSION_HANDLE_INVALID'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Get certificate attributes
failed: 179:'CKR_SESSION_HANDLE_INVALID'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_login
entry session=0xd3ff10, is_publicOnly=1, readonly=1,
user_data=0xd34880, mask_prompt=00000001
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_logout
entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_logout return gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_session_reset entry session=0xd3ff10,
user_data=0xd34880, mask_prompt=00000001, p_slot=0x7ffc1c633858
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_reset
Expected token manufacturerID='AS Sertifitseerimiskeskus'
model='PKCS#15 emulated', serialNumber='N0108352', label='VAN
WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_session_getSlotList entry provider=0xd1f5e0,
token_present=1, pSlotList=0x7ffc1c6336f8, pulCount=0x7ffc1c633700
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=2
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId
entry p_token_id=0x7ffc1c633708 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffc1c633660
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId
return rv=0-'CKR_OK', *p_token_id=0xd40760
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId
return rv=0-'CKR_OK', *p_token_id=0xd40760
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_reset
Found token manufacturerID='AS Sertifitseerimiskeskus' model='PKCS#15
emulated', serialNumber='N0108352', label='VAN
WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd40760
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_reset return rv=0-'CKR_OK', *p_slot=1
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Calling pin_prompt hook
for 'VAN WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387]: chan_6
-> INQUIRE NEEDPIN PIN required for token 'VAN
WINGERDE,JACOB,35402120120 (' (try 0) gnupg-pkcs11-scd[22387]: chan_6
pin_expire_time=0, time=1450824309
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate
return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_findObjects entry session=0xd3ff10,
filter=0x7ffc1c633d10, filter_attrs=1, p_objects=0x7ffc1c633cf0,
p_objects_found=0x7ffc1c633cf8 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK',
*p_objects_found=1 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getObjectAttributes entry session=0xd3ff10,
object=13889536, attrs=0x7ffc1c633d30, count=2
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getObjectAttributes return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_certificate_newCertificateId entry
p_certificate_id=0x7ffc1c633d00 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK',
*p_certificate_id=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_duplicateTokenId entry to=0xd40c70 form=0xd402f0
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0xd410a0
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
__pkcs11h_certificate_updateCertificateIdDescription entry
certificate_id=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
__pkcs11h_certificate_updateCertificateIdDescription return
displayName='/C=EE/O=ESTEID (DIGI-ID
E-RESIDENT)/OU=authentication/CN=VAN WINGERDE,JACOB,35402120120/SN=VAN
WINGERDE/GN=JACOB/serialNumber=35402120120 on VAN
WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_session_freeObjectAttributes entry
attrs=0x7ffc1c633d30, count=2 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_session_freeObjectAttributes return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_certificate_enumSessionCertificates return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release
entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_release return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
entry certificate_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_duplicateCertificateId entry to=0xd3fef8
form=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK',
*to=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
__pkcs11h_certificate_splitCertificateIdList entry
cert_id_all=0xd3fef0, p_cert_id_issuers_list=0x7ffc1c633f48,
p_cert_id_end_list=0x7ffc1c633f40 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0xd3e258
form=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK',
*to=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
__pkcs11h_certificate_splitCertificateIdList return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0xd3fef0
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId entry certificate_id=0xd40760
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
entry certificate_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateIdList return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_enumCertificateIds return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387]: chan_6 -> S APPTYPE PKCS11
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_create
entry certificate_id=0xd41f30, user_data=0xd34880,
mask_prompt=00000003, pin_cache_period=-1, p_certificate=0x7ffc1c633e40
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_duplicateCertificateId entry to=0xd40140
form=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK',
*to=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSessionByTokenId entry token_id=0xd41a20,
p_session=0xd40150 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Using
cached session gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK',
*p_session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_create return rv=0-'CKR_OK' *p_certificate=0xd40140
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_getCertificateBlob entry certificate=0xd40140,
certificate_blob=(nil), *p_certificate_blob_size=0000000000000000
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_getCertificateBlob entry certificate=0xd40140,
certificate_blob=0xd42ce0, *p_certificate_blob_size=0000000000000507
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificate entry certificate=0xd40140
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release
entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_release return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId entry certificate_id=0xd40760
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
entry certificate_id=0xd41a20 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificate return gpgsm: error learning card:
No inquire callback in IPC secmem usage: 0/16384 bytes in 0 blocks
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
__pkcs11h_openssl_ex_data_free entered - parent=0xd44240, ptr=(nil),
ad=0xd442a0, idx=0, argl=0, argp=0x7fb4c91f08e3
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_serializeCertificateId entry sz=(nil),
*max=0000000000000000, certificate_id=0xd41f30
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_serializeTokenId entry sz=(nil), *max=0000000000000000,
token_id=0xd42360 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_serializeTokenId return rv=0-'CKR_OK',
*max=000000000000006d, sz='(null)' gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_certificate_serializeCertificateId return
rv=0-'CKR_OK', *max=0000000000000070, sz='(null)'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_serializeCertificateId entry sz=0xd41ba0,
*max=0000000000000070, certificate_id=0xd41f30
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_serializeTokenId entry sz=0xd41ba0,
*max=0000000000000070, token_id=0xd42360
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_serializeTokenId return rv=0-'CKR_OK',
*max=000000000000006d,
sz='AS\x20Sertifitseerimiskeskus/PKCS\x2315\x20emulated/N0108352/VAN\x20WINGERDE\x2CJACOB\x2C35402120120\x20\x28'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_serializeCertificateId return rv=0-'CKR_OK',
*max=0000000000000070,
sz='AS\x20Sertifitseerimiskeskus/PKCS\x2315\x20emulated/N0108352/VAN\x20WINGERDE\x2CJACOB\x2C35402120120\x20\x28/01'
gnupg-pkcs11-scd[22387]: chan_6 -> S KEY-FRIEDNLY
BEE4963CCC09D0CEE5DE3DEA543EBCBB702664E1 /C=EE/O=ESTEID (DIGI-ID
E-RESIDENT)/OU=authentication/CN=VAN WINGERDE,JACOB,35402120120/SN=VAN
WINGERDE/GN=JACOB/serialNumber=35402120120 on VAN
WINGERDE,JACOB,35402120120 ( gnupg-pkcs11-scd[22387]: chan_6 -> S
KEYPAIRINFO BEE4963CCC09D0CEE5DE3DEA543EBCBB702664E1
AS\x20Sertifitseerimiskeskus/PKCS\x2315\x20emulated/N0108352/VAN\x20WINGERDE\x2CJACOB\x2C35402120120\x20\x28/01
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0xd3e250
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId entry certificate_id=0xd41f30
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
entry certificate_id=0xd42360 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateIdList return
gnupg-pkcs11-scd[22387]: chan_6 -> OK jaap at jaap:~$
gnupg-pkcs11-scd[22387]: chan_6 OK gnupg-pkcs11-scd[22387.3394275072]: assuan_process failed:
Broken pipe gnupg-pkcs11-scd[22387.3357775616]: Cleaning up threads
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_terminate entry
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Terminating openssl
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_openssl_terminate
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Removing providers
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_removeProvider
entry reference='esteid' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
Removing provider 'esteid' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_slotevent_notify entry gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_slotevent_notify return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_removeProvider
return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
Releasing sessions gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_freeTokenId entry certificate_id=0xd402f0
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0xd3fcb0
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId entry certificate_id=0xd40c70
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
entry certificate_id=0xd410a0 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateIdList return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Terminating slotevent
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_slotevent_terminate entry gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_slotevent_terminate return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Marking as uninitialized
^C
jaap at jaap:~$
--
Jaap van Wingerde
e-mail: 1234567890 at vanwingerde.nl
From guru at unixarea.de Wed Dec 23 18:54:07 2015
From: guru at unixarea.de (Matthias Apitz)
Date: Wed, 23 Dec 2015 18:54:07 +0100
Subject: signing mails with MUA mutt fails
Message-ID: <20151223175407.GA4804@c720-r285885-amd64>
Hello,
To sign mails one configure in the MUA the command in the following
form:
gpg2 --batch --output - --passphrase-fd 0 --armor --sign --detach-sign --textmode -u %a %f
where %a is the actual user and %f the mail attachment to be signed; it
does not work and I digged into this;
this works as it should:
$ gpg2 --output - --armor --sign --detach-sign -u guru msg.asc
Please enter the passphrase to unlock the OpenPGP secret key:
"Matthias Apitz (GnuPGv2) "
2048-bit DSA key, ID FFEE762B922A6CBB,
created 2015-12-22.
Passphrase:
-----BEGIN PGP SIGNATURE-----
iF4EABEIAAYFAlZ63U8ACgkQ/+52K5IqbLuC+wD/RnSo6soMzg0wxTdAFEbD2ykB
Yc15kIv7SPBXDoKohvcA/jUN2FNNEhlrrh5B/gAldFyYsJ7ruD5ktPa3b/DfpEP3
=DXMS
-----END PGP SIGNATURE-----
while this gives an error:
$ killall gpg-agent
$ echo xxxxxxxx | gpg2 --batch --output - --passphrase-fd 0 --armor --sign --detach-sign --textmode -u guru msg.asc gpg: signing failed:
gpg: signing failed: Invalid IPC response
gpg: signing failed: Invalid IPC response
running with --debug gives some kind of error in the communication with
the agent:
$ killall gpg-agent
$ echo xxxxxxxx | gpg2 --debug 1024 --batch --output - --passphrase-fd 0 --armor --sign --detach-sign --textmode -u guru msg.asc
gpg: reading options from '/home/guru/.gnupg/gpg.conf'
gpg: enabled debug flags: ipc
gpg: DBG: chan_7 RESET
gpg: DBG: chan_7 OPTION ttytype=rxvt
gpg: DBG: chan_7 OPTION display=:0
gpg: DBG: chan_7 OPTION xauthority=/tmp/kde-guru/xauth-1001-_0
gpg: DBG: chan_7 OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/tmp/dbus-O4oooGN9t0,guid=4cf4542b4bf772f2892b2ac3567aaf2d
gpg: DBG: chan_7 OPTION allow-pinentry-notify
gpg: DBG: chan_7 OPTION agent-awareness=2.1.0
gpg: DBG: chan_7 AGENT_ID
gpg: DBG: chan_7
gpg: DBG: chan_7 -> HAVEKEY EF8AE0E0D3D7EBBFA6A0230CD105E0DFC04D9DE1 8FB0DD8249EC4A24E2A73B4721098FCDE815FEBB
gpg: DBG: chan_7 RESET
gpg: DBG: chan_7 SIGKEY EF8AE0E0D3D7EBBFA6A0230CD105E0DFC04D9DE1
gpg: DBG: chan_7 SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22Matthias+Apitz+(GnuPGv2)+%22%0A2048-bit+DSA+key,+ID+FFEE762B922A6CBB,%0Acreated+2015-12-22.%0A
gpg: DBG: chan_7 SETHASH 8 B0E553EDE7C732CA26D96C45C32E6143AB642BF28E03217400C893CCB0F14B62
gpg: DBG: chan_7 PKSIGN
gpg: DBG: chan_7 END
gpg: DBG: chan_7
gpg: signing failed: Invalid IPC response
gpg: signing failed: Invalid IPC response
gpg: secmem usage: 1568/32768 bytes in 3 blocks
What do I miss or do wrong?
matthias
--
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045
From wk at gnupg.org Wed Dec 23 20:40:24 2015
From: wk at gnupg.org (Werner Koch)
Date: Wed, 23 Dec 2015 20:40:24 +0100
Subject: signing mails with MUA mutt fails
In-Reply-To: <20151223175407.GA4804@c720-r285885-amd64> (Matthias Apitz's
message of "Wed, 23 Dec 2015 18:54:07 +0100")
References: <20151223175407.GA4804@c720-r285885-amd64>
Message-ID: <87mvt1q7h3.fsf@vigenere.g10code.de>
On Wed, 23 Dec 2015 18:54, guru at unixarea.de said:
> To sign mails one configure in the MUA the command in the following
> form:
You should put
set crypt_use_gpgme
into your ~/.muttrc to use the modern (ie. from ~2003) version of Mutt's
crypto layer. it works much better that the bunch of configured commands.
> gpg2 --batch --output - --passphrase-fd 0 --armor --sign --detach-sign --textmode -u %a %f
--passphrase-fd 0
does not work with gpg2 (since 2.1) because the gpg-agent is responsible
for the private keys and the passphrase to protect them. If you are
using an xterm the GUI Pinentry pops up from the background (controlled
by the existence of the DISPLAY envvar). If you are using a plain tty,
either the curses pinentry or the dump tty only pinentry can be used.
The curses pinentry is used part of the GUI pinentry and used if DISPLAY
is not set. Take care to set the GPG_TTY envvar (man gpg-agent).
If you really need it with 2.1 you may also use the loopback mode which
allows to gpg2 for ask for a passphrase in a similar but not indentical
way gpg1 and pgp did. Put
allow-loopback-pinentry
into ~/.gnupg/gpg-agent.conf and restart the agent. Add
--pinentry-mode=loopback
to the gpg command line.
> running with --debug gives some kind of error in the communication with
> the agent:
>
> $ killall gpg-agent
> gpg: DBG: chan_7 -> AGENT_ID
> gpg: DBG: chan_7
That error is expected: it is a test for the former GNOME gpg-agent
replacement.
> gpg: DBG: chan_7
> gpg: signing failed: Invalid IPC response
Something is wrong with your pinentry. To debug this you add
--88---
log-file /foo/bar/gpg-agent.log
verbose
debug-pinentry
debug ipc
--88---
into gpg-agent.conf ("debug ipc" Is the same as "debug 1024")
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From stevehendo34 at gmail.com Wed Dec 23 19:14:11 2015
From: stevehendo34 at gmail.com (stevehendo34)
Date: Wed, 23 Dec 2015 11:14:11 -0700 (MST)
Subject: gpg: BAD signature from
Message-ID: <1450894451876-45427.post@n7.nabble.com>
Downloaded armory-bin.tar.gz from arch AUR
On Armory site they gave public key text in ASCII format.
I saved it to armory_key.txt
I imported this public key from armory_key.txt file to my key ring.
gpg --list-keys
pub rsa4096/98832223 2012-02-28
uid [ unknown] Alan C. Reiner (Offline Signing Key)
uid [ unknown] Alan C. Reiner (Armory Signing Key)
uid [ unknown] Alan C. Reiner (Armory Signing Key)
sub rsa4096/DE6B2D74 2012-02-28
t
The also gave signature in ascii and I saved that to armory_sig.txt
gpg --verify armory_sig.txt armory-bin.tar.gz
gpg: Signature made Sun Jun 7 20:46:36 2015 CDT using RSA key ID 98832223
gpg: BAD signature from "Alan C. Reiner (Offline Signing Key)
" [unknown]
The key ID 98832223 match whats on their site 0x98832223, and whats on my
keyring, but
Can you explain what the third line means why (BAD signature)?
I am pretty much new to all this stuff!
--
View this message in context: http://gnupg.10057.n7.nabble.com/gpg-BAD-signature-from-tp45427.html
Sent from the GnuPG - User mailing list archive at Nabble.com.
From guru at unixarea.de Wed Dec 23 21:41:50 2015
From: guru at unixarea.de (Matthias Apitz)
Date: Wed, 23 Dec 2015 21:41:50 +0100
Subject: signing mails with MUA mutt fails
In-Reply-To: <87mvt1q7h3.fsf@vigenere.g10code.de>
References: <20151223175407.GA4804@c720-r285885-amd64>
<87mvt1q7h3.fsf@vigenere.g10code.de>
Message-ID: <20151223204150.GA12119@c720-r285885-amd64>
El d?a Wednesday, December 23, 2015 a las 08:40:24PM +0100, Werner Koch escribi?:
> On Wed, 23 Dec 2015 18:54, guru at unixarea.de said:
>
> > To sign mails one configure in the MUA the command in the following
> > form:
>
> You should put
>
> set crypt_use_gpgme
Thanks for that hint! I have had to re-compile the mutt port (on
FreeBSD) to get this option to work, but it now works nicely.
matthias
--
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL:
From pete at heypete.com Wed Dec 23 21:34:51 2015
From: pete at heypete.com (Pete Stephenson)
Date: Wed, 23 Dec 2015 15:34:51 -0500
Subject: gpg: BAD signature from
In-Reply-To: <1450894451876-45427.post@n7.nabble.com>
References: <1450894451876-45427.post@n7.nabble.com>
Message-ID:
On Wed, Dec 23, 2015 at 1:14 PM, stevehendo34 wrote:
> Downloaded armory-bin.tar.gz from arch AUR
>
> On Armory site they gave public key text in ASCII format.
> I saved it to armory_key.txt
> I imported this public key from armory_key.txt file to my key ring.
> gpg --list-keys
> pub rsa4096/98832223 2012-02-28
> uid [ unknown] Alan C. Reiner (Offline Signing Key)
>
> uid [ unknown] Alan C. Reiner (Armory Signing Key)
>
> uid [ unknown] Alan C. Reiner (Armory Signing Key)
>
> sub rsa4096/DE6B2D74 2012-02-28
> t
>
> The also gave signature in ascii and I saved that to armory_sig.txt
> gpg --verify armory_sig.txt armory-bin.tar.gz
> gpg: Signature made Sun Jun 7 20:46:36 2015 CDT using RSA key ID 98832223
> gpg: BAD signature from "Alan C. Reiner (Offline Signing Key)
> " [unknown]
>
> The key ID 98832223 match whats on their site 0x98832223, and whats on my
> keyring, but
> Can you explain what the third line means why (BAD signature)?
>
> I am pretty much new to all this stuff!
Hi Steve,
Welcome!
The error means that the data you downloaded doesn't match the data
that was originally signed by the author. It's possible this could be
due to an error by the signer, a transmission error over the internet,
or intentional tampering.
Cheers!
-Pete
--
Pete Stephenson
From wub at partyvan.eu Thu Dec 24 04:29:09 2015
From: wub at partyvan.eu (Juuso Lapinlampi)
Date: Thu, 24 Dec 2015 03:29:09 +0000 (UTC)
Subject: New GnuPG FTP mirror: mirror.se.partyvan.eu
Message-ID: <17093789854478232448.enqueue@partyvan.eu>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi gnupg-users.
I noticed the FTP Mirrors page [1] is outdated. Many mirrors are dead,
some have not existed for perhaps years. The fair amount of confusion
that came from that page made me initially delay with the decision to
host a new mirror - I wasn't sure where to start.
Sunet announced to decommission last year, although it still seems to be
available and syncing. ftp.jyu.fi may have been merged with
ftp.funet.fi, although I couldn't find GnuPG to be hosted on Funet's FTP
server.
This led me to believe there is no active GnuPG mirror available in
Sweden/Finland, so I have setup one for GnuPG on our mirror server in
Stockholm, Sweden. This mirror server is connected to a 1 Gbps
connection at AS42708 Portlane AB.
- - ftp: n/a
- - http: http://mirror.se.partyvan.eu/pub/ftp.gnupg.org/gcrypt/
- - https: https://mirror.se.partyvan.eu/pub/ftp.gnupg.org/gcrypt/
- - onion: http://tpvj6abq225m5pcf.onion/pub/ftp.gnupg.org/gcrypt/
- - rsync: rsync://mirror.se.partyvan.eu/pub/ftp.gnupg.org/gcrypt/
I've setup syncing to happen from ftp.gnupg.org over rsync daily at
12:00.[2] This happened to be the closest available rsync server right
now, excluding ftp.sunet.se which's future seems uncertain.
If interested, I can setup syncing to happen more frequently too, e.g.
twice or four times a day.
[1]: https://www.gnupg.org/download/mirrors.html
[2]: https://partyvan.eu/transparency/config/cron/tabs/rsync
- --
Juuso Lapinlampi
Partyvan
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWe2ZIAAoJEJiZcbKmt69LwiQP/RO/FC/SBgpUbq6K5gpkpekw
YiGqU1jRPleUEJNPjR+8mwWCdYjY6hFZ6bB47BsUjlDnttUIEZzQsP4sc2UW3neU
JdXJgZ7LEJ9UDH98X9VO272W9zHBO68RlaB16QTOT/6Vc4SzlEyz540tzwx+7IU6
SiquT/wKiBkUstgusTstX/Kh+MZ9Tr2MJWffzJKCCH8+NHUm8cJbjshFKSLmjjLA
r7h1Uyqim9bSwEo2Epco0edyDtaqg5ON+dN7rV9cmnNtMQhvfKc9kTLRovQiFX23
3wDDYJnnaxphIrg5QjZOTGHtKbeOIxQXe52gje51ikr67P9742M+bBjnLOtXjlC8
7ad7dp4/sMhO9btV8i26UCt1BgZG5RLRdhCtbYfF4QNUvlrVrb3m3ZKcwwlYD/wb
OhBwX/ejTEtRg7MCLGNQmuVc2UKrgaaCQ4itT06S49yEGZ0QnbblADGBciw1+vnV
cNHoL5npPQIlM7jatO32VpdHb5FsoCye4bs3t9/nIoyEGpAYrLDA/AFRffXCAXNl
FAGTRbGkkeU1mqzfTVfIt4Ia5rUCMjSnYwlekzzDgFZaP49QymZ9ScOqXfubxoLX
SPRCFpDawg3nMvng/kX7e+P8P0PyP/bxSW4dzyRi99D2IzfzoSPRON4M43uSJAYl
ZMkZ6xBoU2svrqKUsiq1
=HRNJ
-----END PGP SIGNATURE-----
From guru at unixarea.de Thu Dec 24 09:15:46 2015
From: guru at unixarea.de (Matthias Apitz)
Date: Thu, 24 Dec 2015 09:15:46 +0100
Subject: signing mails with MUA mutt fails
In-Reply-To: <87mvt1q7h3.fsf@vigenere.g10code.de>
References: <20151223175407.GA4804@c720-r285885-amd64>
<87mvt1q7h3.fsf@vigenere.g10code.de>
Message-ID: <20151224081546.GA2465@c720-r285885-amd64>
El d?a Wednesday, December 23, 2015 a las 08:40:24PM +0100, Werner Koch escribi?:
> On Wed, 23 Dec 2015 18:54, guru at unixarea.de said:
>
> > To sign mails one configure in the MUA the command in the following
> > form:
>
> You should put
>
> set crypt_use_gpgme
>
> into your ~/.muttrc to use the modern (ie. from ~2003) version of Mutt's
> crypto layer. it works much better that the bunch of configured commands.
>
> > gpg2 --batch --output - --passphrase-fd 0 --armor --sign --detach-sign --textmode -u %a %f
>
> --passphrase-fd 0
>
> does not work with gpg2 (since 2.1) because the gpg-agent is responsible
> for the private keys and the passphrase to protect them. If you are
> using an xterm the GUI Pinentry pops up from the background (controlled
> by the existence of the DISPLAY envvar). If you are using a plain tty,
> either the curses pinentry or the dump tty only pinentry can be used.
> The curses pinentry is used part of the GUI pinentry and used if DISPLAY
> is not set. Take care to set the GPG_TTY envvar (man gpg-agent).
> ...
As I said, it works very well; only pinentry is not popping up as an X
application (which I do not want either); a ps shows:
$ ps ax | egrep 'gnu|pin|mutt'
2374 - Ss 0:00,01 gpg-agent --homedir /home/guru/.gnupg --use-standard-socket --daemon
2392 - S 0:00,03 pinentry --display :0 (pinentry-tty)
2394 1 S+ 0:00,00 egrep gnu|pin|mutt
2354 3 S+ 0:00,23 mutt
and of course, I have DISPLAY=:0 in my env;
I only wanted to mention this for the records; for me it is fine;
matthias
--
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045
?(?ber die DDR)... Und allein dieser Mangel (an Sozialismus) und nichts anderes f?hrte zum Tod.
Und wer da nicht trauert, hat kein Herz, und wer da nicht neu anpackt, hat auch keins verdient.?
?(sobre la RDA)... Y solo esta escasez (de socialismo) y no otra cosa, le llev? a la muerte.
Y quien no est? de luto, no tiene coraz?n, y quien no se lanza a luchar de nuevo, no se merece
coraz?n.?, junge Welt del 3 de octubre 2015, p. 11
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL:
From guru at unixarea.de Thu Dec 24 17:02:54 2015
From: guru at unixarea.de (Matthias Apitz)
Date: Thu, 24 Dec 2015 17:02:54 +0100
Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
Message-ID: <20151224160254.GA2153@c720-r285885-amd64>
Hello,
I do not fully understand why some 4 random words like
Correct, horse! Battery staple!
is a better passphrase like, for example
Und allein dieser Mangel und nichts anderes f?hrte zum Tod.
i.e. some phrasing which could be memorized better?
matthias
--
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045
From peter at digitalbrains.com Thu Dec 24 17:50:47 2015
From: peter at digitalbrains.com (Peter Lebbing)
Date: Thu, 24 Dec 2015 17:50:47 +0100
Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
In-Reply-To: <20151224160254.GA2153@c720-r285885-amd64>
References: <20151224160254.GA2153@c720-r285885-amd64>
Message-ID: <567C2267.6040108@digitalbrains.com>
Hello,
> Correct, horse! Battery staple!
My understanding is that these words in such a passphrase are chosen by
a random number generator in a computer. I use such a passphrase; I've
let my computer pick words out of a word list based on reading
/dev/random; or actually, I'm fairly sure I used GnuPG to generate the
randomness. I didn't let it generate four words; I let it generate a few
more until some combination of four words emerged that I could somehow
memorize. It is not a phrase, it is non-grammatical, it just has
something to it that makes it such that I can remember. The amount of
entropy each word contains is close to the amount of choice there is in
picking a word from the word list; i.e., base-2 log of the number of
words in the word list if you express it in bits.
> Und allein dieser Mangel und nichts anderes f?hrte zum Tod.
This is grammatical. There is a subject (or two), a verb, an.. well
whatever those things are like "zum Tod", I don't often discuss grammar
in any other language than Dutch so I forgot the technical terms.
Furthermore, the phrase actually makes sense semantically. I don't know
if somebody ever said or wrote it; that would make it even worse, since
a passphrase cracker could try sentences from a corpus of likely texts
it has scoured from the internet.
It has grammar, it has semantics, it has a proper meaning. All these
things go at the expense of its entropy. Whereas a few words that only
make enough sense to be memorizable have loads of entropy, as the
cartoon expresses. "Memorizability" is not easily quantified when you
write a password cracker. It's almost a Turing test in a way. What you
want to avoid is that there is a a pattern that a password cracker can
look for. Replacing an i with a 1 (one) is a horribly little amount of
extra entropy that serves more to make it difficult for you than that
one little extra try that a password cracker has to do matters.
> i.e. some phrasing which could be memorized better?
I don't think I can ever make myself forget Correct horse, battery
staple! :)
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
From lopaki at gmail.com Thu Dec 24 17:16:59 2015
From: lopaki at gmail.com (Scott Lambdin)
Date: Thu, 24 Dec 2015 11:16:59 -0500
Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
In-Reply-To: <20151224160254.GA2153@c720-r285885-amd64>
References: <20151224160254.GA2153@c720-r285885-amd64>
Message-ID:
My boss told me to pick an 8 word sentence and use the initials. I chose
the my favorite line from my fan fiction: "Put All Star Ships Where Only
Romulans Dwell" and he fired me.
On Thu, Dec 24, 2015 at 11:02 AM, Matthias Apitz wrote:
>
> Hello,
>
> I do not fully understand why some 4 random words like
>
> Correct, horse! Battery staple!
>
> is a better passphrase like, for example
>
> Und allein dieser Mangel und nichts anderes f?hrte zum Tod.
>
> i.e. some phrasing which could be memorized better?
>
> matthias
> --
> Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ?
> +49-176-38902045
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
--
Eat like you give a damn. Go vegan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From ineiev at gnu.org Fri Dec 25 06:19:37 2015
From: ineiev at gnu.org (Ineiev)
Date: Fri, 25 Dec 2015 00:19:37 -0500
Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
In-Reply-To: <567C2267.6040108@digitalbrains.com>
References: <20151224160254.GA2153@c720-r285885-amd64>
<567C2267.6040108@digitalbrains.com>
Message-ID: <20151225051936.GB1448@gnu.org>
Hello,
On Thu, Dec 24, 2015 at 05:50:47PM +0100, Peter Lebbing wrote:
>
> > Und allein dieser Mangel und nichts anderes f?hrte zum Tod.
>
> This is grammatical. There is a subject (or two), a verb, an.. well
> whatever those things are like "zum Tod", I don't often discuss grammar
> in any other language than Dutch so I forgot the technical terms.
> Furthermore, the phrase actually makes sense semantically. I don't know
> if somebody ever said or wrote it; that would make it even worse, since
> a passphrase cracker could try sentences from a corpus of likely texts
> it has scoured from the internet.
>
> It has grammar, it has semantics, it has a proper meaning. All these
> things go at the expense of its entropy.
I assume the amount of entropy is what really matters. for instance,
if on every next step you are free to choose any of 4 random words
taken from 60000-word dictionary, you may put it in a grammatically
correct form[*], then you must get a certain entropy per step.
* Depending on the language, there may be more than one correct form
(past, future, plural, first or second person, modified with
a preposition...), but this randomness is hard to ensure.
From peter at digitalbrains.com Fri Dec 25 10:57:06 2015
From: peter at digitalbrains.com (Peter Lebbing)
Date: Fri, 25 Dec 2015 10:57:06 +0100
Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
In-Reply-To: <20151225051936.GB1448@gnu.org>
References: <20151224160254.GA2153@c720-r285885-amd64>
<567C2267.6040108@digitalbrains.com> <20151225051936.GB1448@gnu.org>
Message-ID: <567D12F2.7020504@digitalbrains.com>
On 25/12/15 06:19, Ineiev wrote:
> I assume the amount of entropy is what really matters. for instance,
> if on every next step you are free to choose any of 4 random words
> taken from 60000-word dictionary, you may put it in a grammatically
> correct form[*], then you must get a certain entropy per step.
Yes, however, this characterization seems mathematically incorrect.
Let's assume one in four words in the dictionary fits the grammar. I
hope this concurs broadly with what you assumed. Rather than pick four
random words of the full list, and then pick one of those, you pick one
out of a quarter of the wordlist size.
So that's 2 bits per word you're losing, a lot more than if you were
free to pick one of four random words. And there is a lot more structure
to the sentence given by Matthias than just its grammatical soundness.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
From ineiev at gnu.org Fri Dec 25 16:38:45 2015
From: ineiev at gnu.org (Ineiev)
Date: Fri, 25 Dec 2015 10:38:45 -0500
Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
In-Reply-To: <567D12F2.7020504@digitalbrains.com>
References: <20151224160254.GA2153@c720-r285885-amd64>
<567C2267.6040108@digitalbrains.com>
<20151225051936.GB1448@gnu.org>
<567D12F2.7020504@digitalbrains.com>
Message-ID: <20151225153845.GA5951@gnu.org>
On Fri, Dec 25, 2015 at 10:57:06AM +0100, Peter Lebbing wrote:
> On 25/12/15 06:19, Ineiev wrote:
> Let's assume one in four words in the dictionary fits the grammar. I
> hope this concurs broadly with what you assumed. Rather than pick four
> random words of the full list, and then pick one of those, you pick one
> out of a quarter of the wordlist size.
Agreed.
> So that's 2 bits per word you're losing, a lot more than if you were
> free to pick one of four random words.
60000/4 is more than 13 bits; 2 bits is not a lot compared to 13,
but the result may be much easier to remember.
> And there is a lot more structure
> to the sentence given by Matthias than just its grammatical soundness.
I see; it's a different issue.
From johanw at vulcan.xs4all.nl Fri Dec 25 15:57:14 2015
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Fri, 25 Dec 2015 15:57:14 +0100
Subject: MIT Tech Review on user error
In-Reply-To: <56731B22.7060603@sixdemonbag.org>
References: <56731B22.7060603@sixdemonbag.org>
Message-ID: <567D594A.7050002@vulcan.xs4all.nl>
On 17-12-2015 21:29, Robert J. Hansen wrote:
> http://www.technologyreview.com/news/544516/user-error-compromises-many-encrypted-communication-apps/
Signal assumes TOFU, and warns if the key is changed. That can have a
ligitimate reason (new installation), or indicate an attempted mitm
attack. Which one it is can not be determined in the application itself.
--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From johanw at vulcan.xs4all.nl Fri Dec 25 16:02:38 2015
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Fri, 25 Dec 2015 16:02:38 +0100
Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
In-Reply-To: <20151224160254.GA2153@c720-r285885-amd64>
References: <20151224160254.GA2153@c720-r285885-amd64>
Message-ID: <567D5A8E.4050604@vulcan.xs4all.nl>
On 24-12-2015 17:02, Matthias Apitz wrote:
> I do not fully understand why some 4 random words like
>
> Correct, horse! Battery staple!
>
> is a better passphrase like, for example
>
> Und allein dieser Mangel und nichts anderes f?hrte zum Tod.
I do know that using accented characters might get you into trouble on
some keyboards. I remember working somewhere where German keyboards were
used but the driver for them was loaded after login. We had to tell the
people not to use a z or y in the password to limit the amount of "I
can't login" calls to the IT department.
--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From vedaal at nym.hush.com Fri Dec 25 17:13:15 2015
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Fri, 25 Dec 2015 11:13:15 -0500
Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
In-Reply-To: <20151225153845.GA5951@gnu.org>
References: <20151224160254.GA2153@c720-r285885-amd64>
<567C2267.6040108@digitalbrains.com> <20151225051936.GB1448@gnu.org>
<567D12F2.7020504@digitalbrains.com> <20151225153845.GA5951@gnu.org>
Message-ID: <20151225161315.A420B401EA@smtp.hushmail.com>
If you want a simple random list, look at diceware:
http://world.std.com/~reinhold/diceware.html
Both the page and the diceware lists are available in many languages,
including German
vedaal
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From lachlan at twopif.net Fri Dec 25 17:41:15 2015
From: lachlan at twopif.net (Lachlan Gunn)
Date: Fri, 25 Dec 2015 17:41:15 +0100
Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
In-Reply-To: <20151225161315.A420B401EA@smtp.hushmail.com>
References: <20151224160254.GA2153@c720-r285885-amd64>
<567C2267.6040108@digitalbrains.com>
<20151225051936.GB1448@gnu.org>
<567D12F2.7020504@digitalbrains.com>
<20151225153845.GA5951@gnu.org>
<20151225161315.A420B401EA@smtp.hushmail.com>
Message-ID:
I'm a big fan of that list, and for some time I've been meaning to generate
a tweaked version that uses binary numbering, having recently needed to
generate a passphrase without a dice to hand. Using a coin and rejection
sampling isn't too hard, but it's rather annoying to have to throw away 20%
of digits.
Thanks,
Lachlan
Le 25 d?c. 2015 17:16, a ?crit :
> If you want a simple random list, look at diceware:
>
> http://world.std.com/~reinhold/diceware.html
>
> Both the page and the diceware lists are available in many languages,
> including German
>
>
> vedaal
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From malte at wk3.org Fri Dec 25 18:21:09 2015
From: malte at wk3.org (malte at wk3.org)
Date: Fri, 25 Dec 2015 18:21:09 +0100
Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
In-Reply-To: <20151224160254.GA2153@c720-r285885-amd64>
References: <20151224160254.GA2153@c720-r285885-amd64>
Message-ID: <145106406944.21768.1031069467226354305@solidarity.enteig.net>
It's about the randomness/unpredictability/entropy of the passphrase.
There are less grammatically correct sentences with 4 words than there
are combinations of 4 words in total.
So, yes, you can take a sentence that makes sense, but then the whole
passphrase has to be longer. There is an estimate of 1.5 bit of entropy
per character in natural language. So if you want a passphrase with 60
bits of entropy, it would need to be 40 characters long. You could reach
the same strength with 10 random characters (alphanumeric with upper and
lower case).
In the end it depends what you can remember better and what you can type
faster.
Sincerely,
Malte
From guru at unixarea.de Fri Dec 25 18:41:30 2015
From: guru at unixarea.de (Matthias Apitz)
Date: Fri, 25 Dec 2015 18:41:30 +0100
Subject: self signing the pub key
Message-ID: <20151225174130.GA5083@c720-r285885-amd64>
Hello,
I read that I should self-sign my pub key, but when I do this after
creation, it says:
$ LANG=C gpg2 --sign-key Matthias
pub rsa2048/AA1EF4741F9046D4
created: 2015-12-25 expires: never usage: SC
trust: ultimate validity: ultimate
sub rsa2048/D6AD2EFF41863FE4
created: 2015-12-25 expires: never usage: E
[ultimate] (1). Matthias Apitz (GnuPG v2)
"Matthias Apitz (GnuPG v2) " was already signed by key AA1EF4741F9046D4
Nothing to sign with key AA1EF4741F9046D4
Key not changed so no update needed.
What I do wrong?
matthias
--
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045
From kloecker at kde.org Fri Dec 25 18:50:07 2015
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Fri, 25 Dec 2015 18:50:07 +0100
Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
In-Reply-To: <20151224160254.GA2153@c720-r285885-amd64>
References: <20151224160254.GA2153@c720-r285885-amd64>
Message-ID: <2294973.TDpHq92AEh@collossus.ingo-kloecker.de>
On Thursday 24 December 2015 17:02:54 Matthias Apitz wrote:
> Hello,
>
> I do not fully understand why some 4 random words like
>
> Correct, horse! Battery staple!
>
> is a better passphrase like, for example
>
> Und allein dieser Mangel und nichts anderes f?hrte zum Tod.
>
> i.e. some phrasing which could be memorized better?
The second sentence is found by search engines (2 hits in DuckDuckGo). Don't
use it or any other phrase that's has been published on the internet. A phrase
of 4 random words has a high probability that it has not been published on the
internet (or anywhere else). The tricky part is that you must never put your
4-random-words phrase into a search engine to check this.
Instead of using a 4-random-words phrase you can use a proper sentence with
equivalent entropy provided that you do not use a sentence that has been
published anywhere. Come up with your own sentence. Ideally come up with a
sentence that doesn't make any sense like "The horse was correct. You cannot
staple batteries." This phrase might be easier to remember and has a similar
entropy as the above mentioned 4-random-words phrase.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL:
From kloecker at kde.org Fri Dec 25 18:54:38 2015
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Fri, 25 Dec 2015 18:54:38 +0100
Subject: self signing the pub key
In-Reply-To: <20151225174130.GA5083@c720-r285885-amd64>
References: <20151225174130.GA5083@c720-r285885-amd64>
Message-ID: <65960159.zdBgcz4ukb@collossus.ingo-kloecker.de>
On Friday 25 December 2015 18:41:30 Matthias Apitz wrote:
> Hello,
>
> I read that I should self-sign my pub key, but when I do this after
> creation, it says:
>
> $ LANG=C gpg2 --sign-key Matthias
>
> pub rsa2048/AA1EF4741F9046D4
> created: 2015-12-25 expires: never usage: SC
> trust: ultimate validity: ultimate
> sub rsa2048/D6AD2EFF41863FE4
> created: 2015-12-25 expires: never usage: E
> [ultimate] (1). Matthias Apitz (GnuPG v2)
>
> "Matthias Apitz (GnuPG v2) " was already signed by key
> AA1EF4741F9046D4 Nothing to sign with key AA1EF4741F9046D4
>
> Key not changed so no update needed.
>
> What I do wrong?
You didn't do anything wrong. When you create a new key it is automatically
self-signed. A long time ago this was not necessarily the case. Today the
above advice is still correct, but probably no longer necessary.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL:
From guru at unixarea.de Fri Dec 25 20:11:03 2015
From: guru at unixarea.de (Matthias Apitz)
Date: Fri, 25 Dec 2015 20:11:03 +0100
Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
In-Reply-To: <2294973.TDpHq92AEh@collossus.ingo-kloecker.de>
References: <20151224160254.GA2153@c720-r285885-amd64>
<2294973.TDpHq92AEh@collossus.ingo-kloecker.de>
Message-ID: <20151225191103.GA1930@c720-r285885-amd64>
El d?a Friday, December 25, 2015 a las 06:50:07PM +0100, Ingo Kl?cker escribi?:
> > Und allein dieser Mangel und nichts anderes f?hrte zum Tod.
> >
> > i.e. some phrasing which could be memorized better?
>
> The second sentence is found by search engines (2 hits in DuckDuckGo). Don't
> use it or any other phrase that's has been published on the internet. A phrase
> of 4 random words has a high probability that it has not been published on the
> internet (or anywhere else). The tricky part is that you must never put your
> 4-random-words phrase into a search engine to check this.
>
> Instead of using a 4-random-words phrase you can use a proper sentence with
> equivalent entropy provided that you do not use a sentence that has been
> published anywhere. Come up with your own sentence. Ideally come up with a
> sentence that doesn't make any sense like "The horse was correct. You cannot
> staple batteries." This phrase might be easier to remember and has a similar
> entropy as the above mentioned 4-random-words phrase.
Ofc, I would not have used this phrase, which is part of my signature :-)
This was only an example. I'd have used something from a book or
poem which was written before Internet-times and perhaps never published
afterwards.
Thanks for all hints in this thread.
matthias
--
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045
?(?ber die DDR)... Und allein dieser Mangel (an Sozialismus) und nichts anderes f?hrte zum Tod.
Und wer da nicht trauert, hat kein Herz, und wer da nicht neu anpackt, hat auch keins verdient.?
?(sobre la RDA)... Y solo esta escasez (de socialismo) y no otra cosa, le llev? a la muerte.
Y quien no est? de luto, no tiene coraz?n, y quien no se lanza a luchar de nuevo, no se merece
coraz?n.?, junge Welt del 3 de octubre 2015, p. 11
From gnupg at raf.org Sat Dec 26 00:56:18 2015
From: gnupg at raf.org (gnupg at raf.org)
Date: Sat, 26 Dec 2015 10:56:18 +1100
Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
In-Reply-To: <20151225191103.GA1930@c720-r285885-amd64>
References: <20151224160254.GA2153@c720-r285885-amd64>
<2294973.TDpHq92AEh@collossus.ingo-kloecker.de>
<20151225191103.GA1930@c720-r285885-amd64>
Message-ID: <20151225235617.GA16126@raf.org>
Matthias Apitz wrote:
> El d?a Friday, December 25, 2015 a las 06:50:07PM +0100, Ingo Kl?cker escribi?:
>
> > > Und allein dieser Mangel und nichts anderes f?hrte zum Tod.
> > >
> > > i.e. some phrasing which could be memorized better?
> >
> > The second sentence is found by search engines (2 hits in DuckDuckGo). Don't
> > use it or any other phrase that's has been published on the internet. A phrase
> > of 4 random words has a high probability that it has not been published on the
> > internet (or anywhere else). The tricky part is that you must never put your
> > 4-random-words phrase into a search engine to check this.
> >
> > Instead of using a 4-random-words phrase you can use a proper sentence with
> > equivalent entropy provided that you do not use a sentence that has been
> > published anywhere. Come up with your own sentence. Ideally come up with a
> > sentence that doesn't make any sense like "The horse was correct. You cannot
> > staple batteries." This phrase might be easier to remember and has a similar
> > entropy as the above mentioned 4-random-words phrase.
>
> Ofc, I would not have used this phrase, which is part of my signature :-)
> This was only an example. I'd have used something from a book or
> poem which was written before Internet-times and perhaps never published
> afterwards.
that's no good. if it's been published ever, then google has probably
obtained a copy and digitized it and re-published it at books.google.com.
From malte at wk3.org Sat Dec 26 01:39:40 2015
From: malte at wk3.org (malte at wk3.org)
Date: Sat, 26 Dec 2015 01:39:40 +0100
Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
In-Reply-To: <2294973.TDpHq92AEh@collossus.ingo-kloecker.de>
References: <20151224160254.GA2153@c720-r285885-amd64>
<2294973.TDpHq92AEh@collossus.ingo-kloecker.de>
Message-ID: <145109038056.28662.14078272701893580572@solidarity.enteig.net>
Hi,
do you have an estimate on the number of unique sentences published on
the Internet?
Sincerely,
Malte
From peter at digitalbrains.com Sat Dec 26 09:53:38 2015
From: peter at digitalbrains.com (Peter Lebbing)
Date: Sat, 26 Dec 2015 09:53:38 +0100
Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
In-Reply-To: <145109038056.28662.14078272701893580572@solidarity.enteig.net>
References: <20151224160254.GA2153@c720-r285885-amd64>
<2294973.TDpHq92AEh@collossus.ingo-kloecker.de>
<145109038056.28662.14078272701893580572@solidarity.enteig.net>
Message-ID: <567E5592.7040300@digitalbrains.com>
On 26/12/15 01:39, malte at wk3.org wrote:
> do you have an estimate on the number of unique sentences published on
> the Internet?
Hmmmmm.... how many of those would have been generated by a Markov chain
generator that a spammer used to generate some filler text in a spam
mail? I bet you've seen them, those texts that superficially look like
proper English sentences, but when you look closely, it's completely
non-sensical.
What is your purpose by the way? Look for an estimated amount of entropy
contained in picking one of those sentences?
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
From wk at gnupg.org Sat Dec 26 10:36:28 2015
From: wk at gnupg.org (Werner Koch)
Date: Sat, 26 Dec 2015 10:36:28 +0100
Subject: GnuPG News for November and December 2015
Message-ID: <878u4hr1pf.fsf@vigenere.g10code.de>
Hi,
here comes the plaintext copy of Neal's status update for November and
December:
(https://gnupg.org/blog/20151224-gnupg-in-november-and-december.html)
_________________________________________
20151224-GNUPG-IN-NOVEMBER-AND-DECEMBER
Neal
_________________________________________
December 24th, 2015
Table of Contents
_________________
1 GnuPG News for November and December 2015
.. 1.1 See us at 32C3
.. 1.2 Press
.. 1.3 Development
.. 1.4 Contact
.. 1.5 Discussions
.. 1.6 Donations
2 About this news posting
1 GnuPG News for November and December 2015
===========================================
1.1 See us at 32C3
~~~~~~~~~~~~~~~~~~
Werner and Neal will each give a talk at 32C3 as part of the [FSFE
Assembly]. Both talks are on Monday, December 28th. Neal's
presentation is at 16:00 in Hall A.1. He'll present "An Advanced
Introduction to GnuPG." Werner follows immediately at 17:00 with
"GnuPG and its current state of development."
If you want to chat, we (Justus, Kai, Neal & Werner) will be around
during the congress. (Neal will be mostly hanging out at the Kidspace
and thus will probably be the easiest to find.) If you want to
arrange a chat, send us an email. If you see one of us, don't
hesitate to ask for a business card with a list of the keys we use to
sign GnuPG releases!
[FSFE Assembly]
https://events.ccc.de/congress/2015/wiki/Assembly:Free_Software_Foundation_Europe#sessions
1.2 Press
~~~~~~~~~
[Werner was interviewed] (in German) by J?rgen Asbeck from Germany's
Pirate Party.
[Werner was interviewed]
https://www.piratenpartei.de/2015/12/23/interview-mit-werner-koch/
1.3 Development
~~~~~~~~~~~~~~~
There have been two new releases of GnuPG: version [2.1.10] and
version [1.4.20].
Version 2.1.10 is the first GnuPG version to include support for TOFU.
TOFU stands for trust on first use and should be familiar to anyone
who uses ssh. Basically, TOFU is a mechanism to detect when the
binding between an identity and a key changes. This can prevent or
detect active man-in-the-middle (MitM) attacks and forgeries.
Although this protection is weaker than the Web of Trust's theoretical
guarantees, we have observed that most people don't bother to sign
keys or set owner trust. The practical result is that most users
don't make use of the web of trust and, as such, GnuPG only protects
them from passive MitM attacks. TOFU provides protection against
active MitM as long as they are not sustained while not requiring any
user support. Happily, the web of trust and TOFU can be combined. To
read more about how to use TOFU, see this [email]. A more theoretical
handling of how TOFU works is described in our forthcoming [paper].
(Feedback is welcome.)
Another noteworthy addition to 2.1.10 is Tor support. To enable this,
simple add the following to your dirmngr.conf file:
,----
| use-tor
| keyserver hkp://jirk5u4osbsr34t5.onion
`----
(`hkp://jirk5u4osbsr34t5.onion' is the .onion address for [SKS
Keyserver Pool].) Note: for this to work, you'll need to be running
Tor. On Debian, you just need to install the Tor package; there is
nothing more to configure.
2.1.10 also includes a number of small additions. It is now possible
to use `--default-key' multiple times and GnuPG will use the last key
that is available for signing (this is good when using a configuration
file shared among multiple hosts). `--encrypt-to-default-key' will
causes all messages to also be encrypted to the key specified in
`--default-key'. `--unwrap' will strip an OpenPGP message of its
encryption layer (and everyone thing outside of it). Since most
messages are signed and then encrypted, this preserves the signature
(unlike `--decrypt'). `--only-sign-text-ids' causes `--sign' to not
sign photo IDs.
In 2.1.10, Neal added code to detect ambiguous key specifications.
This code proved to be incomplete and has since been removed from git.
Given that it will take some time to ensure that the code is stable,
this feature will return in 2.3.x. (2.2 is planned for the beginning
of 2016.)
2.1.10 also includes a number of bug fixes for dirmngr. In
particular, there was a bug that prevented fetching a large number of
keys over TLS streams.
Both 2.1.10 and 1.4.20 include support for the new `--weak-digest'
option, which can be used to explicitly mark a digest as deprecated.
(You should consider doing this for SHA-1, which is no longer
considered safe.)
Andre published [version 2.3.0 of gpg2win]. He's also been working on
GpgOL (a GnuPG plug-in for Outlook). The latest test version includes
support for sending PGP/MIME mails. If you are interested in helping
to test it, read the [wiki] and follow the [gpg4win-devel mailing
list] for details.
Jussi has continued his work on libgcrypt. He recently added a
variable length output interface for the digest API, which was needed
for new SHAKE algorithms. He has also worked on some new
optimizations for the hash-algorithms; fine-tuned existing SHA-3/SHAKE
and Tiger implementations and added an ARMv7/NEON implementation of
SHA-3/SHAKE.
Niibe fixed an important long standing bug in scdaemon whereby users
cannot access their smartcard after reinsertion. Another minor bug
that he fixed is that the removal of smartcards was not always
correctly detected. These bugs are fixed in 2.1.10 and will be
backported to 2.0.x.
Niibe also did a major change in libgcrypt for Curve25519, which
changes the point format of the curve by adding the 0x40 prefix (this
is the same as Ed25519). New private keys and encrypted messages
created with the new libgcrypt will always have the prefix 0x40. Any
users of Curve25519 encryption should update their libgcrypt.
Existing keys should continue to be handled correctly.
For those interested in Werner's work on g13 (a LUKS replacement,
which allows using a smartcard to decrypt the master key), he has
pushed his current work to the `wk/g13work' branch.
[2.1.10]
https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000381.html
[1.4.20]
https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000382.html
[email]
https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030341.html
[paper] ftp://ftp.g10code.com/people/neal/tofu.pdf
[SKS Keyserver Pool] https://sks-keyservers.net
[version 2.3.0 of gpg2win]
http://lists.wald.intevation.org/pipermail/gpg4win-announce/2015-November/000067.html
[wiki] https://wiki.gnupg.org/Gpg4win/Testversions
[gpg4win-devel mailing list]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/gpg4win-devel
1.4 Contact
~~~~~~~~~~~
Werner announced the official [chat room] for developers. Note: for
general questions, #gnupg on freenode remains the better real-time
chat forum.
[chat room]
https://lists.gnupg.org/pipermail/gnupg-devel/2015-December/030599.html
1.5 Discussions
~~~~~~~~~~~~~~~
Guilhem Moulin discussed using [OpenPGP notations to limit the scope
of subkeys].
James asked about [best practices for creating keys] and got a number
of helpful responses.
The Nitrokey developers [announced an effort to develop a new USB
Security Key] with hidden storage (for plausible deniability).
Nitrokey is 100% free software and open hardware. Their [crowdfunding
campaign] runs until the end of December.
Robert J. Hansen shared a link to an MIT Technology Review article on
how [user error subverts communication security].
Matthias Apitz asked about [why private keys are stored differently in
GnuPG 2.1] and Werner provided a detailed explanation.
[OpenPGP notations to limit the scope of subkeys]
https://lists.gnupg.org/pipermail/gnupg-devel/2015-November/030576.html
[best practices for creating keys]
https://lists.gnupg.org/pipermail/gnupg-users/2015-November/054679.html
[announced an effort to develop a new USB Security Key]
https://lists.gnupg.org/pipermail/gnupg-users/2015-November/054695.html
[crowdfunding campaign]
https://www.indiegogo.com/projects/nitrokey-storage-usb-security-key-for-encryption#/
[user error subverts communication security]
https://lists.gnupg.org/pipermail/gnupg-users/2015-December/054864.html
[why private keys are stored differently in GnuPG 2.1]
https://lists.gnupg.org/pipermail/gnupg-users/2015-December/054881.html
1.6 Donations
~~~~~~~~~~~~~
At the beginning of 2015, the Linux Foundation, as part of their core
infrastructure initiative, made a one-time USD60,000 donation. We are
pleased to report that the Linux Foundation has decided to renew their
support for 2016 and have donated another USD60,000. Thanks!
Unfortunately, [although Facebook initially announced that they would
provide USD50,000 of support per year], they have since rescinded.
[although Facebook initially announced that they would provide
USD50,000 of support per year]
https://twitter.com/stripe/status/563449352635432960'
2 About this news posting
=========================
We try to write a news posting each month. However, other work may
have a higher priority (e.g. security fixes) and thus there is no
promise for a fixed publication date. If you have an interesting
topic for a news posting, please send it to us. A regular summary of
the mailing list discussions would make a nice column on this news.
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From malte at wk3.org Sat Dec 26 17:00:04 2015
From: malte at wk3.org (malte at wk3.org)
Date: Sat, 26 Dec 2015 17:00:04 +0100
Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
In-Reply-To: <567E5592.7040300@digitalbrains.com>
References: <20151224160254.GA2153@c720-r285885-amd64>
<2294973.TDpHq92AEh@collossus.ingo-kloecker.de>
<145109038056.28662.14078272701893580572@solidarity.enteig.net>
<567E5592.7040300@digitalbrains.com>
Message-ID: <145114560479.8130.7376137733924956804@solidarity.enteig.net>
Quoting Peter Lebbing (2015-12-26 09:53:38)
> On 26/12/15 01:39, malte at wk3.org wrote:
> > do you have an estimate on the number of unique sentences published on
> > the Internet?
>
> What is your purpose by the way? Look for an estimated amount of entropy
> contained in picking one of those sentences?
Yes. To know if picking a random, but previously published sentence (no
matter the length) may ever be good enough. And then maybe going on to
see if two random, but previously published sentences might be good
enough (-:
Sincerely,
Malte
From jeandavid8 at verizon.net Sat Dec 26 16:54:31 2015
From: jeandavid8 at verizon.net (Jean-David Beyer)
Date: Sat, 26 Dec 2015 10:54:31 -0500
Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
In-Reply-To: <2294973.TDpHq92AEh@collossus.ingo-kloecker.de>
References: <20151224160254.GA2153@c720-r285885-amd64>
<2294973.TDpHq92AEh@collossus.ingo-kloecker.de>
Message-ID: <567EB837.60304@verizon.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/25/2015 12:50 PM, Ingo Kl?cker wrote:
> On Thursday 24 December 2015 17:02:54 Matthias Apitz wrote:
>> Hello,
>>
>> I do not fully understand why some 4 random words like
>>
>> Correct, horse! Battery staple!
>>
>> is a better passphrase like, for example
>>
>> Und allein dieser Mangel und nichts anderes f?hrte zum Tod.
>>
>> i.e. some phrasing which could be memorized better?
>
> The second sentence is found by search engines (2 hits in
> DuckDuckGo). Don't use it or any other phrase that's has been
> published on the internet. A phrase of 4 random words has a high
> probability that it has not been published on the internet (or
> anywhere else). The tricky part is that you must never put your
> 4-random-words phrase into a search engine to check this.
>
> Instead of using a 4-random-words phrase you can use a proper
> sentence with equivalent entropy provided that you do not use a
> sentence that has been published anywhere. Come up with your own
> sentence. Ideally come up with a sentence that doesn't make any
> sense like "The horse was correct. You cannot staple batteries."
> This phrase might be easier to remember and has a similar entropy
> as the above mentioned 4-random-words phrase.
>
>
A favorite of mine, not usable then, and even less so now, is the
following:
At Night We Walk in Circles and Are Consumed by Fire
In Latin, that is a palindrome.
It is now the name of a musical composition, and has a group of its
own on Facebook.
https://www.wnyc.org/radio/#/ondemand/510001
- --
.~. Jean-David Beyer Registered Linux User 85642.
/V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521.
/( )\ Shrewsbury, New Jersey http://linuxcounter.net
^^-^^ 10:35:01 up 1 day, 11:08, 2 users, load average: 4.16, 4.24, 4.19
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iQEcBAEBAgAGBQJWfrg0AAoJEBZthAoMYQyLcOMH/3q0mmnai7E49VontTna/2gf
yZD9FHbiVE7tQl2OZmjNa16AzVMwpTlJxpS82/n3/8ljVxWbyd0JzdStAyq4xONV
hdYN05SL6A43L8dobaO0IQLMB7ZdzJYawQW8wLfKQzevXMMXMiGg5BLMVdhNMqWo
TPOLu8GFPfDGqC1P6EzKplCremb2NsMvrxw1RpxQcNwIksz1S3XO+YZWAYegUmsC
fUCVH3qgTNrlaiG/FFGqBols0RJYS9EsWC/0EWSOZN0TCqzfoWbwPSse76HolV9Y
lkXklPCxaqwan09jtkGwwSye1sTTHjmHA6t1YtK8yRxNc5k/zQKiY3mvLtt23Nc=
=2AOW
-----END PGP SIGNATURE-----
From melvincarvalho at gmail.com Sat Dec 26 22:52:54 2015
From: melvincarvalho at gmail.com (Melvin Carvalho)
Date: Sat, 26 Dec 2015 22:52:54 +0100
Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
In-Reply-To: <20151224160254.GA2153@c720-r285885-amd64>
References: <20151224160254.GA2153@c720-r285885-amd64>
Message-ID:
On 24 December 2015 at 17:02, Matthias Apitz wrote:
>
> Hello,
>
> I do not fully understand why some 4 random words like
>
> Correct, horse! Battery staple!
>
> is a better passphrase like, for example
>
> Und allein dieser Mangel und nichts anderes f?hrte zum Tod.
>
> i.e. some phrasing which could be memorized better?
>
Might help:
https://rya.nc/cracking_cryptocurrency_brainwallets.pdf
(See slide 35)
>
> matthias
> --
> Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ?
> +49-176-38902045
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From landaurob at gmail.com Sun Dec 27 07:11:56 2015
From: landaurob at gmail.com (Rob Landau)
Date: Sun, 27 Dec 2015 19:11:56 +1300
Subject: advice please
Message-ID:
Good day, I have just received my first Linux system (Ubuntu 14.04) It
has Seahorse installed, but I don't see any GnuPG application. How can I
determine if there is a GnuPG installed, and if so where to find it.
Searching the Dash for GnuPG reveals nothing, and there doesn't appear to
be any program in the Ubuntu Software Center
Cheers ~Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From lachlan at twopif.net Sun Dec 27 10:54:00 2015
From: lachlan at twopif.net (Lachlan Gunn)
Date: Sun, 27 Dec 2015 10:54:00 +0100
Subject: advice please
In-Reply-To:
References:
Message-ID:
Hello,
According to the documentation that I've found, it is called "passwords and
keys".
Thanks,
Lachlan
Le 27 d?c. 2015 10:45, "Rob Landau" a ?crit :
> Good day, I have just received my first Linux system (Ubuntu 14.04) It
> has Seahorse installed, but I don't see any GnuPG application. How can I
> determine if there is a GnuPG installed, and if so where to find it.
> Searching the Dash for GnuPG reveals nothing, and there doesn't appear to
> be any program in the Ubuntu Software Center
>
> Cheers ~Rob
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From rjh at sixdemonbag.org Sun Dec 27 11:19:13 2015
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 27 Dec 2015 04:19:13 -0600
Subject: advice please
In-Reply-To:
References:
Message-ID: <567FBB21.1060803@sixdemonbag.org>
> Good day, I have just received my first Linux system (Ubuntu 14.04)
Welcome to the world of free software. :)
> How can I determine if there is a GnuPG installed...
This is in the FAQ:
https://www.gnupg.org/faq/gnupg-faq.html#get_gnupg
Good luck!
From viktordick86 at gmail.com Sun Dec 27 11:04:16 2015
From: viktordick86 at gmail.com (Viktor Dick)
Date: Sun, 27 Dec 2015 11:04:16 +0100
Subject: advice please
In-Reply-To:
References:
Message-ID: <567FB7A0.1080501@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 2015-12-27 07:11, Rob Landau wrote:
> Good day, I have just received my first Linux system (Ubuntu
> 14.04) It has Seahorse installed, but I don't see any GnuPG
> application. How can I determine if there is a GnuPG installed,
> and if so where to find it. Searching the Dash for GnuPG reveals
> nothing, and there doesn't appear to be any program in the Ubuntu
> Software Center
If I remember correctly, the set of 'applications' on an Ubuntu system
is only a subset of the set of packages. Specifically, applications
are only programs that, when installed, have entries in the menu (or
its Unity replacement). Programs that are console-only are usually not
listed in the menu and it is possible that they are also not listed in
the Software Center.
So the fact that there is no application called gnupg does not mean
that gnupg is not installed. It probably is. Maybe just open a
terminal and type 'gnupg', that way you can be sure.
Regards,
Viktor
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWf7egAAoJEPNGVztcQuQ/tCEIAIJvdwTYOWxvp1mmO9q6BYw/
GTG20Oy6zwrQY3TMUeU7qb0ehTLhDPkvXk4XfXPr3izkwyUeZS9BEW5QEcj9ivZ6
d+Nm1oKW495KNY2Gj1sjbUD/zV5I9LlteMDa5xwNfa91dxjp3bXHErrFdJ9tnxAA
e47NgpaZ42Z2v7I0bCxddJhuiAhFKU7do+dDwnb3VTuBH5X40cfdLz/2yPCmCvSr
a2Egm7/PTJDZTO8clJUITvYq7WCMMElOp6B1qYEeimTpyv2Xv/upqGgwUuTMDy19
xikbKmo3Pzz4W9WcfmZSPnMwwXDChm5Gxtis6g/UTvT0mqApayp6ayIj0NRpnLg=
=WSp8
-----END PGP SIGNATURE-----
From jays at panix.com Mon Dec 28 21:02:12 2015
From: jays at panix.com (Jay Sulzberger)
Date: Mon, 28 Dec 2015 15:02:12 -0500 (EST)
Subject: advice please
In-Reply-To:
References:
Message-ID:
On Sun, 27 Dec 2015, Rob Landau wrote:
> Good day, I have just received my first Linux system (Ubuntu 14.04) It
> has Seahorse installed, but I don't see any GnuPG application. How can I
> determine if there is a GnuPG installed, and if so where to find it.
> Searching the Dash for GnuPG reveals nothing, and there doesn't appear to
> be any program in the Ubuntu Software Center
>
> Cheers ~Rob
I use Debian. On my system, if I open a terminal, and then,
whether I am root or no, give the command:
apt-cache search gnupg
apt returns a long list of packages. Here are the last few:
pinentry-tty - minimal dumb-terminal PIN or pass-phrase entry for GnuPG
python-gnupg - Python wrapper for the GNU Privacy Guard (Python 2.x)
python3-gnupg - Python wrapper for the GNU Privacy Guard (Python 3.x)
libqca2-plugin-gnupg - transitional package for libqca2-plugins
signing-party - Various OpenPGP related tools
gnupg-doc - GNU Privacy Guard documentation
gnupg-agent - GNU privacy guard - cryptographic agent
gnupg2 - GNU privacy guard - a free PGP replacement (new v2.x)
gnupg2-dbg - debugging symbols for gnupg2
gpgsm - GNU privacy guard - S/MIME version
scdaemon - GNU privacy guard - smart card support
On Debian, if you are connected to the Net, and if you do, as root;
apt-get update
and then
apt-get install gnupg-doc gnupg-agent gnupg2
apt should install the above three packages.
Likely Ubuntu has a "GUI" wrapper or an equivalent for apt. I'd
have guessed that the "Ubuntu Software Center" would be it, and
that the USC would show you gnupg easily.
oo--JS.
From thecissou98 at hotmail.fr Mon Dec 28 19:43:47 2015
From: thecissou98 at hotmail.fr (Francis Le Roy)
Date: Mon, 28 Dec 2015 19:43:47 +0100
Subject: Create Process ec=87
Message-ID:
Hi,
I am trying to use your librairy but when I try to check the OpenPGP
engine's version, I get an error.
Here is join the code I tried to run and the complete error log.
Your sincerely,
F.
-------------- next part --------------
#include "../Student.h"
#include "gpgme.h"
#include
using namespace std;
void genKey(Sdt& student,int ksize,string passwd)
{
gpgme_set_global_flag("debug","9");
gpgme_check_version(NULL);
gpg_error_t test = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
cout << gpgme_strerror(test) << endl;
cout << "Engine : " << gpgme_get_dirinfo("gpg-name") << endl;
}
-------------- next part --------------
GPGME 2015-12-28 19:05:21 <0x2b18> gpgme_debug: level=9
GPGME 2015-12-28 19:05:21 <0x2b18> gpgme_debug: gpgme='D:\CODING\C++\bin\Debug'
GPGME 2015-12-28 19:05:21 <0x2b18> gpgme_check_version: call: 0=00000000, req_version=(null), VERSION=1.6.0
GPGME 2015-12-28 19:05:21 <0x2b18> gpgme_check_version_internal: call: 0=00000000, req_version=(null), offset_sig_validity=32
GPGME 2015-12-28 19:05:21 <0x2b18> gpgme-dinfo: gpgconf='C:\Program Files (x86)\GNU\GnuPG\gpgconf.exe'
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_pipe: enter: filedes=0028F680, inherit_idx=1 (GPGME uses it for reading)
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_pipe: leave: read=0x0 (00000150/0x0), write=0x1 (00000164/0x0)
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: enter: path=0AF93FD0, path=C:\Program Files (x86)\GNU\GnuPG\gpgconf.exe
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, argv[ 0] = C:\Program Files (x86)\GNU\GnuPG\gpgconf.exe
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, argv[ 1] = --list-dirs
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, tmp_name = C:\Users\User\AppData\Local\Temp\gpgme-HBCBJ6
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, CreateProcess failed: ec=87
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: error: Input/output error
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: enter: fd=00000000
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: check: fd=00000000, fd=0 -> handle=00000150 socket=-1 dupfrom=-1
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: leave: result=0
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: enter: fd=00000001
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: check: fd=00000001, fd=1 -> handle=00000164 socket=-1 dupfrom=-1
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: leave: result=0
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_pipe: enter: filedes=0028F680, inherit_idx=1 (GPGME uses it for reading)
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_pipe: leave: read=0x0 (00000168/0x0), write=0x1 (00000174/0x0)
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: enter: path=0AF93FD0, path=C:\Program Files (x86)\GNU\GnuPG\gpgconf.exe
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, argv[ 0] = C:\Program Files (x86)\GNU\GnuPG\gpgconf.exe
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, argv[ 1] = --list-components
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, tmp_name = C:\Users\User\AppData\Local\Temp\gpgme-4Cb3i3
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, CreateProcess failed: ec=87
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: error: Input/output error
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: enter: fd=00000000
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: check: fd=00000000, fd=0 -> handle=00000168 socket=-1 dupfrom=-1
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: leave: result=0
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: enter: fd=00000001
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: check: fd=00000001, fd=1 -> handle=00000174 socket=-1 dupfrom=-1
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: leave: result=0
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_pipe: enter: filedes=0028FA5C, inherit_idx=1 (GPGME uses it for reading)
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_pipe: leave: read=0x0 (0000017C/0x0), write=0x1 (00000190/0x0)
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: enter: path=0AF93FD0, path=C:\Program Files (x86)\GNU\GnuPG\gpgconf.exe
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, argv[ 0] = C:\Program Files (x86)\GNU\GnuPG\gpgconf.exe
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, argv[ 1] = --version
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, tmp_name = C:\Users\User\AppData\Local\Temp\gpgme-DrOuSZ
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, CreateProcess failed: ec=87
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: error: Input/output error
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: enter: fd=00000000
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: check: fd=00000000, fd=0 -> handle=0000017C socket=-1 dupfrom=-1
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: leave: result=0
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: enter: fd=00000001
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: check: fd=00000001, fd=1 -> handle=00000190 socket=-1 dupfrom=-1
GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: leave: result=0
GPGME 2015-12-28 19:05:21 <0x2b18> engine.c:365: returning error: Invalid crypto engine
GPGME 2015-12-28 19:05:21 <0x2b18> engine.c:155: returning error: Invalid crypto engine
Invalid crypto engine
From sbutler at fchn.com Mon Dec 28 22:52:54 2015
From: sbutler at fchn.com (Steve Butler)
Date: Mon, 28 Dec 2015 21:52:54 +0000
Subject: advice please
In-Reply-To:
References:
Message-ID: <04c7500e31814d08bf29f1586ad12da1@t1l1exchmbs-01.fchn.com>
I see the attached when I do the search in Software Center on Ubuntu 15.10.
Stephen M. Butler, PMP, PSM
IT Manager - Software Engineering
First Choice Health Network
Email: sbutler at fchn.com
Voice: 206-268-2309
Fax: 206-268-6173
-----Original Message-----
From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Jay Sulzberger
Sent: Monday, December 28, 2015 12:02 PM
To: GnuPG-users at gnupg.org
Subject: Re: advice please
On Sun, 27 Dec 2015, Rob Landau wrote:
> Good day, I have just received my first Linux system (Ubuntu 14.04)
> It has Seahorse installed, but I don't see any GnuPG application. How
> can I determine if there is a GnuPG installed, and if so where to find it.
> Searching the Dash for GnuPG reveals nothing, and there doesn't appear
> to be any program in the Ubuntu Software Center
>
> Cheers ~Rob
I use Debian. On my system, if I open a terminal, and then, whether I am root or no, give the command:
apt-cache search gnupg
apt returns a long list of packages. Here are the last few:
pinentry-tty - minimal dumb-terminal PIN or pass-phrase entry for GnuPG python-gnupg - Python wrapper for the GNU Privacy Guard (Python 2.x) python3-gnupg - Python wrapper for the GNU Privacy Guard (Python 3.x) libqca2-plugin-gnupg - transitional package for libqca2-plugins signing-party - Various OpenPGP related tools gnupg-doc - GNU Privacy Guard documentation gnupg-agent - GNU privacy guard - cryptographic agent
gnupg2 - GNU privacy guard - a free PGP replacement (new v2.x) gnupg2-dbg - debugging symbols for gnupg2 gpgsm - GNU privacy guard - S/MIME version scdaemon - GNU privacy guard - smart card support
On Debian, if you are connected to the Net, and if you do, as root;
apt-get update
and then
apt-get install gnupg-doc gnupg-agent gnupg2
apt should install the above three packages.
Likely Ubuntu has a "GUI" wrapper or an equivalent for apt. I'd have guessed that the "Ubuntu Software Center" would be it, and that the USC would show you gnupg easily.
oo--JS.
_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2015-12-28 13-39-46.png
Type: image/png
Size: 213838 bytes
Desc: Screenshot from 2015-12-28 13-39-46.png
URL:
From jays at panix.com Mon Dec 28 23:22:20 2015
From: jays at panix.com (Jay Sulzberger)
Date: Mon, 28 Dec 2015 17:22:20 -0500 (EST)
Subject: advice please
In-Reply-To: <04c7500e31814d08bf29f1586ad12da1@t1l1exchmbs-01.fchn.com>
References:
<04c7500e31814d08bf29f1586ad12da1@t1l1exchmbs-01.fchn.com>
Message-ID:
On Mon, 28 Dec 2015, Steve Butler wrote:
> I see the attached when I do the search in Software Center on Ubuntu 15.10.
>
>
> Stephen M. Butler, PMP, PSM
Well, I see gnupg in the list, I am not sure whether it is gnupg2 or not.
gpg is hard to set up. Even after it is set up to do what you
want, your correspondent must also have a working gpg/PGP system,
else you will not be able to communicate using gpg as your
encrypt/decrypt system. The Free Software Forces have, so far,
failed to produce an email crypto system which one billion people
could use. We have a good central armature for such a system,
namely gpg, but the stuff around gpg is in practice very
difficult to use.
What do you want to with GnuPG?
oo--JS.
> IT Manager - Software Engineering
> First Choice Health Network
> Email: sbutler at fchn.com
> Voice: 206-268-2309
> Fax: 206-268-6173
>
>
> -----Original Message-----
> From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Jay Sulzberger
> Sent: Monday, December 28, 2015 12:02 PM
> To: GnuPG-users at gnupg.org
> Subject: Re: advice please
>
>
> On Sun, 27 Dec 2015, Rob Landau wrote:
>
>> Good day, I have just received my first Linux system (Ubuntu 14.04)
>> It has Seahorse installed, but I don't see any GnuPG application. How
>> can I determine if there is a GnuPG installed, and if so where to find it.
>> Searching the Dash for GnuPG reveals nothing, and there doesn't appear
>> to be any program in the Ubuntu Software Center
>>
>> Cheers ~Rob
>
> I use Debian. On my system, if I open a terminal, and then, whether I am root or no, give the command:
>
> apt-cache search gnupg
>
> apt returns a long list of packages. Here are the last few:
>
> pinentry-tty - minimal dumb-terminal PIN or pass-phrase entry for GnuPG python-gnupg - Python wrapper for the GNU Privacy Guard (Python 2.x) python3-gnupg - Python wrapper for the GNU Privacy Guard (Python 3.x) libqca2-plugin-gnupg - transitional package for libqca2-plugins signing-party - Various OpenPGP related tools gnupg-doc - GNU Privacy Guard documentation gnupg-agent - GNU privacy guard - cryptographic agent
> gnupg2 - GNU privacy guard - a free PGP replacement (new v2.x) gnupg2-dbg - debugging symbols for gnupg2 gpgsm - GNU privacy guard - S/MIME version scdaemon - GNU privacy guard - smart card support
>
> On Debian, if you are connected to the Net, and if you do, as root;
>
> apt-get update
>
> and then
>
> apt-get install gnupg-doc gnupg-agent gnupg2
>
> apt should install the above three packages.
>
> Likely Ubuntu has a "GUI" wrapper or an equivalent for apt. I'd have guessed that the "Ubuntu Software Center" would be it, and that the USC would show you gnupg easily.
>
> oo--JS.
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
> --
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential
> and privileged information. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended recipient, please
> contact the sender by reply e-mail and destroy all copies of the original
> message.
>
From juanmi.3000 at gmail.com Tue Dec 29 01:37:30 2015
From: juanmi.3000 at gmail.com (=?UTF-8?Q?Juan_Miguel_Navarro_Mart=c3=adnez?=)
Date: Tue, 29 Dec 2015 01:37:30 +0100
Subject: advice please
In-Reply-To:
References:
Message-ID: <5681D5CA.2020106@gmail.com>
If you believe that distro is trustworthy and one of the recommended
ones for Linux users, then just try:
gpg -v && gpg2 -v
It will first try to use gpg and tell its version and, if it does, it
will then try to do with 'gpg2'.
If t's a Debian-based distro or a distro with apt-get, you can do:
sudo apt-get update && apt-cache policy gnupg gnupg2
First command will update the local cache of the software listed in the
repository, if it all goes well then apt-cache will output a small info
about each package, including the prefered version in the repositories
and, either it'll say if it is not installed or if it is, it will output
the version installed.
You can also try:
dpkg -s gnupg | more; dpkg -s gnupg2 | more
Which, if installed, will output information about the package, version,
dependencies and if it is still installed or not. First for gnupg, then
for gnupg2.
You are using Ubuntu 14.04, which by default comes with Gnupg 1.X
installed. You can install GnuPg 2.0.X by doing:
sudo apt-get update && sudo apt-get install gnupg2
On 2015-12-27 at 07:11, Rob Landau wrote:
> Good day, I have just received my first Linux system (Ubuntu 14.04) It
> has Seahorse installed, but I don't see any GnuPG application. How can I
> determine if there is a GnuPG installed, and if so where to find it.
> Searching the Dash for GnuPG reveals nothing, and there doesn't appear to
> be any program in the Ubuntu Software Center
>
> Cheers ~Rob
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
--
Juan Miguel Navarro Mart?nez
GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF
From bob.henson at galen.org.uk Tue Dec 29 10:07:31 2015
From: bob.henson at galen.org.uk (Bob Henson)
Date: Tue, 29 Dec 2015 09:07:31 +0000
Subject: advice please
In-Reply-To:
References:
<04c7500e31814d08bf29f1586ad12da1@t1l1exchmbs-01.fchn.com>
Message-ID: <56824D53.2000804@galen.org.uk>
On 28/12/2015 10:22 pm, Jay Sulzberger wrote:
>
> On Mon, 28 Dec 2015, Steve Butler wrote:
>
>> I see the attached when I do the search in Software Center on Ubuntu 15.10.
>>
>>
>> Stephen M. Butler, PMP, PSM
>
> Well, I see gnupg in the list, I am not sure whether it is gnupg2 or not.
>
> gpg is hard to set up. Even after it is set up to do what you
> want, your correspondent must also have a working gpg/PGP system,
> else you will not be able to communicate using gpg as your
> encrypt/decrypt system. The Free Software Forces have, so far,
> failed to produce an email crypto system which one billion people
> could use. We have a good central armature for such a system,
> namely gpg, but the stuff around gpg is in practice very
> difficult to use.
>
I'm not that technical - but I can tell you that basic signing and
encryption with GnuPG (what else would anyone want it for?) isn't hard
to use at all, even for an ancient old geezer like me. The thing to do
is to forget all about command lines and run it from Enigmail within
Thunderbird (easiest and best) or the appropriate extension/s within
Claws Mail. Most other Linux e-mail clients will do it too - but most
other Linux e-mail clients are very poor, in my experience.
If, as you imply above, you are looking for a more universal system of
encryption, then PGP/OpenPGP certainly isn't the one to use - it is
intended to be a "person to person" system used between people known to
one another and whose keys can be countersigned with absolute certainty.
There is already a system, albeit far from perfect, which lends itself
to large scale use and that is the X.509 certificate system - already
widely used.
Regards,
Bob
From thecissou98 at hotmail.fr Tue Dec 29 12:24:26 2015
From: thecissou98 at hotmail.fr (Francis Le Roy)
Date: Tue, 29 Dec 2015 12:24:26 +0100
Subject: General error when creating keypair
Message-ID:
Hi,
I got a problem generating a key pair, when I run the code, it return a
General error code :/.
If you could give me a sample on how to gen a key or fix my code it
would be nice :)
your sincerely,
F.
gpgme_set_global_flag("debug", "9");
gpgme_set_global_flag("disable-gpgconf","1");
gpgme_set_global_flag("gpg-name","gpgconf");
cout << "cououcou" << endl;
gpgme_check_version(NULL);
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,NULL,"CHOME");
gpgme_ctx_t ctx;
gpgme_error_t err;
gpgme_data_t pubkey;
gpgme_data_t privkey;
setlocale (LC_ALL, "");
gpgme_set_locale (NULL, LC_CTYPE, setlocale (LC_CTYPE, NULL));
#ifdef LC_MESSAGES
gpgme_set_locale (NULL, LC_MESSAGES, setlocale (LC_MESSAGES, NULL));
#endif
err = gpgme_new(&ctx);
if(err!=GPG_ERR_NO_ERROR) return err;
err = gpgme_set_protocol(ctx,GPGME_PROTOCOL_OpenPGP);
if(err!=GPG_ERR_NO_ERROR) return err;
gpgme_set_armor(ctx,1);
gpgme_set_offline(ctx,1);
string req = "";
req += "\nKey-Type: RSA";
req += "\nKey-length: 1024";
req += "\nName-Real: " + student.getFname() + " " + student.getLname();
req += "\nName-Comment: " + student.getAddress();
req += " " + student.getCity();
req += " " + student.getZip();
req += " " + student.getCountry();
req += "\nExpire-Date: 0";
req += "\nPassphrase: bla";
req += "\n";
cout << "Sgen ";
gpgme_data_new(&pubkey);
gpgme_data_new(&privkey);
gpgme_data_set_encoding(privkey,GPGME_DATA_ENCODING_ARMOR);
gpgme_data_set_encoding(pubkey,GPGME_DATA_ENCODING_ARMOR);
const char* param = req.c_str();
err = gpgme_op_genkey(ctx,param,NULL,NULL);
cout << "Egen" << endl;
if(err!=GPG_ERR_NO_ERROR) return err;
From bob.henson at galen.org.uk Tue Dec 29 12:51:23 2015
From: bob.henson at galen.org.uk (Bob Henson)
Date: Tue, 29 Dec 2015 11:51:23 +0000
Subject: General error when creating keypair
In-Reply-To:
References:
Message-ID: <568273BB.8050800@galen.org.uk>
On 29/12/2015 11:24 am, Francis Le Roy wrote:
>

> Hi, > I got a problem generating a key pair, when I run the code, it
return a > General error code :/. > If you could give me a sample on how
to gen a key or fix my code it > would be nice :) >
As you're using Thunderbird, why not add the Enigmail extension, and let
that do it for you simply and automatically?
Regards,
Bob
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From stebe at mailbox.org Tue Dec 29 15:05:35 2015
From: stebe at mailbox.org (stebe at mailbox.org)
Date: Tue, 29 Dec 2015 15:05:35 +0100 (CET)
Subject: advice please (just about the same over here)
In-Reply-To: <56824D53.2000804@galen.org.uk>
References:
<04c7500e31814d08bf29f1586ad12da1@t1l1exchmbs-01.fchn.com>
<56824D53.2000804@galen.org.uk>
Message-ID: <653946150.20246.0908b4f2-5a5f-4173-ad10-b90afa4f1ed8.open-xchange@office.mailbox.org>
> Bob Henson hat am 29. Dezember 2015 um 10:07
> geschrieben:
>
>
> On 28/12/2015 10:22 pm, Jay Sulzberger wrote:
> >
> > On Mon, 28 Dec 2015, Steve Butler wrote:
> >
> If, as you imply above, you are looking for a more universal system of
> encryption, then PGP/OpenPGP certainly isn't the one to use - it is
> intended to be a "person to person" system used between people known to
> one another and whose keys can be countersigned with absolute certainty.
> There is already a system, albeit far from perfect, which lends itself
> to large scale use and that is the X.509 certificate system - already
> widely used.
>
(Sorry for appending a slightly off-topic question to this thread, well, I
really like the person-to person design of gpg and the WebofTrust, and the
enigmail extension makes it quite easy to get along, the Enigmail handbook
is written in a clear and concise manner suited for beginners as well as
for more technical users...whenever you need a free German translation,
knock on my door!)
By the way, talking about the X509 certificate system, which is the exact
command line syntax to verify (using openssl, I guess) a given
certificate's signature by using the public key of the certificate that
has issued the certificate to be verified?
openssl verify pkeyutl (and what else? "sigfile=file" AND "pkey" as a file
or STDIN?)
The certificate to be validated (as presented in the TLS handshake) is not
present as a file, just as a data stream captured with a specialized tool,
and in the signature field I cannot see a signature, just the algorithm
used, or maybe I am blind?) whereas the OCSP response details a long
signature preceded by the word "signature:". The public key I have to use
is already in the browser's certificate, but how do I get it all down to
command line syntax?
Any help appreciated.
Cheers,
Stephan
From stebe at mailbox.org Tue Dec 29 21:42:59 2015
From: stebe at mailbox.org (stebe at mailbox.org)
Date: Tue, 29 Dec 2015 21:42:59 +0100 (CET)
Subject: advice please (just about the same over here)
In-Reply-To: <653946150.20246.0908b4f2-5a5f-4173-ad10-b90afa4f1ed8.open-xchange@office.mailbox.org>
References:
<04c7500e31814d08bf29f1586ad12da1@t1l1exchmbs-01.fchn.com>
<56824D53.2000804@galen.org.uk>
<653946150.20246.0908b4f2-5a5f-4173-ad10-b90afa4f1ed8.open-xchange@office.mailbox.org>
Message-ID: <1706253488.20267.4f93bbb7-49e9-4096-98e2-0e9b73c7cc94.open-xchange@office.mailbox.org>
> stebe at mailbox.org hat am 29. Dezember 2015 um 15:05 geschrieben:
>
>
>
> > Bob Henson hat am 29. Dezember 2015 um 10:07
> > geschrieben:
> >
> >
> > On 28/12/2015 10:22 pm, Jay Sulzberger wrote:
> > >
> > > On Mon, 28 Dec 2015, Steve Butler wrote:
> > >
>
> > If, as you imply above, you are looking for a more universal system of
> > encryption, then PGP/OpenPGP certainly isn't the one to use - it is
> > intended to be a "person to person" system used between people known
> > to
> > one another and whose keys can be countersigned with absolute
> > certainty.
> > There is already a system, albeit far from perfect, which lends itself
> > to large scale use and that is the X.509 certificate system - already
> > widely used.
> >
> (Sorry for appending a slightly off-topic question to this thread, well,
> I
> really like the person-to person design of gpg and the WebofTrust, and
> the
> enigmail extension makes it quite easy to get along, the Enigmail
> handbook
> is written in a clear and concise manner suited for beginners as well as
> for more technical users...whenever you need a free German translation,
> knock on my door!)
>
> By the way, talking about the X509 certificate system, which is the
> exact
> command line syntax to verify (using openssl, I guess) a given
> certificate's signature by using the public key of the certificate that
> has issued the certificate to be verified?
Resolved. I have found the specific command line syntax. And sorry (to the
author/translator), there IS a German Enigmail handbook translation. I
only use the English original and I've never taken a look at the German
version.
A nice New Year's eve to everyone
Stebe
From wk at gnupg.org Wed Dec 30 21:55:49 2015
From: wk at gnupg.org (Werner Koch)
Date: Wed, 30 Dec 2015 21:55:49 +0100
Subject: General error when creating keypair
In-Reply-To: (Francis Le
Roy's message of "Tue, 29 Dec 2015 12:24:26 +0100")
References:
Message-ID: <87poxnmzai.fsf@vigenere.g10code.de>
On Tue, 29 Dec 2015 12:24, thecissou98 at hotmail.fr said:
> gpgme_set_global_flag("debug", "9");
> gpgme_set_global_flag("disable-gpgconf","1");
> gpgme_set_global_flag("gpg-name","gpgconf");
Why are you using these gobal flags? They are only useful in some
certain environments.
Disabling gpgconf and chnaging the name of gpg to gppconf is definitely
not a good ideas. c+p error? Remove all these flags.
> if(err!=GPG_ERR_NO_ERROR) return err;
BTW, using
if (err) return err;
is much easier to read.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From david at gbenet.com Thu Dec 31 02:18:15 2015
From: david at gbenet.com (david at gbenet.com)
Date: Thu, 31 Dec 2015 09:18:15 +0800
Subject: Ian Murdock
Message-ID: <56848257.2090005@gbenet.com>
Apparently the founder of the Debian project, Ian Murdock, has died
[1]. There is some interesting discussion on Reddit, especially the link
to his last tweets [2].
This is very sad news, especially given the alleged circumstances.
[1] https://blog.docker.com/2015/12/ian-murdock/
[2] https://www.reddit.com/r/programming/comments/3ytdsi/ian_murdock_creator_of_debian_has_died/
David
--
?See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the
kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No
delusion.? https://linuxcounter.net/user/512854.html - http://gbenet.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xAAD8C47D.asc
Type: application/pgp-keys
Size: 5054 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: